TRADING in FirstRand Limited was halted this week after Reuters published the South African bank’s results the day before their scheduled release claiming it found the information on the company’s website.
In an official statement, FirstRand hinted at a possible case of hacking saying “this information was not accessed from a source that could be considered in the public domain.”
According to news reports, Reuters insists it found the information on the company’s website, but other journalists say no results were posted when they looked.
In each of those leaks, the companies used predictable URLs and failed to secure information they were preparing to release on their websites. This allowed web crawling software operated by Bloomberg and Selerity to retrieve the unpublished information by probing predicted URLs.
Web design firm uses predictable URLs
In its announcement, FirstRand said it was “unclear” where Reuters obtained the information from. According to Business Day, the Johannesburg Stock Exchange (JSE) has asked for an explanation from the group.
Reviewing FirstRand’s website, it’s readily apparent that the bank hosts some of its earnings information on its own website — http://www.firstrand.co.za/ — while portions of it are outsourced and published on a separate site called Financial Results, which uses the domain http://financialresults.co.za/
The information posted on the bank’s domain consists mostly of PDF materials. I don’t believe these files were the source of the leak because they use inconsistent file names and URLs that would be difficult to predict.
However, the content being outsourced and hosted on the Financial Results website, which is registered to a company called Element in Johannesburg, uses URLs that are dead easy to predict.
Here is the URL for this week’s FirstRand results announcement:
And here’s the one for the prior year:
Here’s the URL for this week’s presentation:
And the corresponding one for the prior year:
Based on the above, it’s entirely conceivable that Reuters simply changed 2009 to 2010, and 2010 to 2011 and came up with the website address that FirstRand planned to use for its unpublished results.
FirstRand likely handed over its materials to Element for formatting at least a couple days before it planned to release the information. If the information was unprotected by a password, which is highly irregular but not unheard of as prior incidents have shown, Reuters and anyone else would have had free access to it.
Of course, this is just speculation on my part but it seems obvious that the bank and the JSE should be looking at Element’s Financial Reports website as the most likely source of the leak.
And it’s worth noting that many other high-profile South African companies outsource their HTML reports to Element’s Financial Reports service. The JSE might want to take a quick look at share trading around these other companies’ results to see if anything suspicious pops up.