It's a nightmare scenario for any public company: An IT staffer gets a hold of senior executives' passwords, accesses sensitive non-public information on things like upcoming earnings reports, new products, or potential deals, and trades on it, enriching himself at the expense of company shareholders.
Just such a nightmare recently played out at online travel-booking company Expedia. Last week the Securities and Exchange Commission announced insider trading charges against a San Francisco-based information technology specialist who allegedly hacked senior executives at Expedia and illegally traded on company secrets.
The SEC alleges that Jonathan Ly, who worked in Expedia's corporate IT services department, illegally traded in advance of nine company news announcements from 2013 to 2016 and generated nearly $350,000 in profits. According to the SEC's complaint, Ly exploited administrative access privileges designated for IT personnel to remotely hack into computers and email accounts of senior executives and review confidential documents and pre-earnings reports. Ly mainly targeted information prepared by Expedia's head of investor relations summarizing Expedia's yet-to-be-announced earnings and describing how the market could react to particular announcements. Ly allegedly used this non-public information to make highly profitable trades in Expedia securities ahead of the announcements.
"Ly allegedly exploited his role as an IT professional by stealing passwords and posing as other users in order to access Expedia's confidential information," said Jina L. Choi, director of the SEC's San Francisco Regional Office. "Ly's alleged insider trading scheme continued even after he left Expedia when he secretly kept a company laptop and connected remotely to Expedia's network to steal confidential information."
To settle the charges in the SEC's complaint, which was filed in federal court in Seattle, Ly agreed to pay disgorgement of $348,515.72 plus interest of $27,391.30 for a total of $375,907.02. The settlement is subject to court approval.
Access Control Policies
The Expedia case exposes a few potential flaws in the company's audit processes and should serve as a wake-up call to other companies to adopt policies, such as separation of duties, periodic change of password rules, audit-log reviews, and better inventorying of company laptops that might have exposed or prevented the scheme long before it ran its three-year course. Such policies should be routinely audited to ensure that employees are in compliance.
Expedia is hardly alone. A survey conducted by Cisco of IT professionals and end users found that many companies have poor habits when it comes to securing business data from unauthorized users.
- Unauthorized application use: 70 percent of IT professionals believe the use of unauthorized programs resulted in as many as half of their companies' data loss incidents.
- Misuse of corporate computers: 44 percent of employees share work devices with others without supervision.
- Unauthorized physical and network access: 39 percent of IT professionals said they have dealt with an employee accessing unauthorized parts of a company's network or facility.
- Remote worker security: 46 percent of employees admitted to transferring files between work and personal computers when working from home.
- Misuse of passwords: 18 percent of employees share passwords with co-workers. That rate jumps to 25 percent in China, India, and Italy.
To reduce the potential for lost data, especially of sensitive data that could be used for insider trading, companies must integrate security into the corporate culture and consistently evaluate the risks of every interaction with networks, devices, applications, data, and of course, other users. Cisco recommends some simple steps that could help secure sensitive data, such as non-public earnings information.
- Protect systems by using only authorized application and access methods, maintaining security software such as antivirus applications, respecting and maintaining security settings, and preparing for spamming, malware, phishing, and other attack methods.
- Protect portable devices by keeping them in your possession or locked up at all times, not sharing your work devices or using them for personal activities, not forwarding confidential information from work systems to personal devices, and not accessing inappropriate sites or downloading inappropriate information.
- Prevent unauthorized data access by logging off or locking systems when you walk away for a few moments or leave for the evening, using sound password creation techniques and not sharing passwords, and storing passwords securely.
- Prevent data theft while traveling by speaking softly when you have to discuss confidential information in public, using privacy filters to prevent over-the-shoulder viewing, using a VPN, and never using a business printer unless you are there to pick up the paper.