SENSITIVE board documents at 300 companies that use NASDAQ OMX’s board portal service may have been repeatedly compromised for over a year by hackers, prompting an investigation by the FBI, the Secret Service and the US Department of Justice.
NASDAQ OMX confirmed in a statement on its website that its board portal Directors Desk, used by directors at many Fortune 500 companies to share confidential internal company strategy and financial information, had been compromised. White House officials have also been briefed on the case.
The exchange said “suspicious files” were found on the US servers during a security scan. The files are thought to be a Trojan horse program that may have been planted to harvest information and send it back to the hackers.
“At this point” no harm detected
The statement said that “at this point” there is no evidence that any Directors Desk customer information was accessed or acquired by hackers. A NASDAQ official told the New York Times that the breach was detected “late last year.”
The Department of Justice instructed the exchange to keep a tight lid on the investigation and not inform its clients until at least February 14, NASDAQ said. However, news of the investigation was published by the Wall Street Journal late Friday night, prompting the exchange to issue the statement and begin informing its clients.
A federal official told The Associated Press that the hackers broke into the service repeatedly over more than a year. There is concern about the identity of the hackers and their motives, and investigators are unsure whether they have been able to plug all potential security gaps, a source told the Wall Street Journal.
10,000 directors use the service
Given the nature of the information shared on Directors Desk, the list of potential hackers could include foreign government operatives wanting corporate secrets or criminal hackers seeking access to confidential information for insider trading purposes.
Sources told the Journal that some evidence was leading them to Russia, but that it might just be that the hackers were using that country to cover their tracks.
Based on the agencies involved and the lack of information that is being shared, it appears that authorities are extremely concerned about the breach. Boards of companies across North America will likely be trying to assess what their exposure or risk might be.
Although NASDAQ OMX noted that only its US servers were hacked, the fact is many companies have international directors on their boards who would use the service.
In a press release last August, NASDAQ OMX said Directors Desk serves “more than 10,000 directors representing more than 230 organizations worldwide, including many Fortune 500 companies.”
“Most vital corporate records”
Tough questions will be asked about Directors Desk security and why the breach was not prevented or detected earlier. In its promotional materials for Directors Desk, NASDAQ OMX says the service offers “SAS70 hosting, Ernst & Young annual security audits and quarterly auditing by a renowned security firm.”
On the Directors Desk website, security is described thus:
Our policies comply with the ISO27001 security standard, providing multiple levels of protection to guard our clients’ confidential data against undesired access. The ISO27001 standard includes employee background screening; policies that restrict physical and logical access to classified information; management of information systems; firewalling; intrusion detection; risk assessment; and guaranteed destruction of expired data.
Directors Desk provides multiple layers of security to protect our clients’ most vital corporate records.
- User authentication is tightly controlled through “strong passwords,” fully encrypted transport, procedures surrounding account activation, and encryption of all service level passwords in the system.
- Role-based security protocols control which content is available to each user upon logging in.
- Network and host-based Intrusion Detection Systems (IDS) protect all hardware and applications in the Directors Desk server farm
Here is the complete statement from NASDAQ OMX:
Statement on Security Violation to NASDAQ OMX Systems
Through our normal security monitoring systems we detected suspicious files on the U.S. servers unrelated to our trading systems and determined that our web facing application Directors Desk was potentially affected. We immediately conducted an investigation, which included outside forensic firms and U.S. federal law enforcement. The files were immediately removed and Our trading platform architecture operates independently from our web-facing services like Directors Desk and at no point was any of NASDAQ OMX’s operated or serviced trading platforms compromised.
Subsequently, the U.S. Department of Justice requested that we refrain from providing notice to our customers until, at the earliest, February 14, 2011, in order to facilitate the continuing investigation. NASDAQ OMX was honoring the U.S. Government’s request to delay notification, but when a story ran in the media on Saturday, February, 5, 2011, regarding a hacking incident at NASDAQ OMX, we immediately decided, in consultation with the authorities, that we must inform our customers.
We continue to evaluate and enhance our advanced security controls to respond to the ever increasing global cyber threat and continue to devote extensive resources to further secure our systems. Cyber attacks against corporations and government occur constantly. NASDAQ OMX remains vigilant against such attacks. We have been working in cooperation with the Government’s ongoing investigations and have received their technical advice for which we are appreciative.