In December 2014, a major incident involving theft of M&A data saw an increased concern for data security in M&A. Dataroom providers and especially users should increase their awareness about data security.
On the 1st of December 2014, security company FireEye reported that a highly sophisticated group of hackers dubbed ‘Fin4’ has been stealing confidential M&A data from nearly 100 publicly traded companies or their advisory firms.
The news comes as a shock to the industry. While information leaks and insider trading have been around for a long lime, the elements of this attack are as yet unseen. Read the specifics below.
Confidential information was stolen, specifically non-public information about merger and acquisition (M&A) deals and major market-moving announcements of publicly traded companies.
No details were released about the companies that were targeted. In the past however, attacks often targeted the healthcare and pharmaceutical industries where stock prices can make significant swings on news of mergers, clinical-trial results and regulatory decisions.
Why would hackers to want to access confidential M&A data?
Presumably the information was stolen for the purpose of insider trading, gaining an unfair advantage in the stock market by using non-public information.
This insider trading could have been done by the hacker group directly trading in the affected stocks, or perhaps by selling the information to others. It is unknown if professional investors or hedge funds might be involved.
However other motives are also possible, as this type of information can be valuable in various scenarios. A possibility is that the opposing sides of merger negotiations would want to gain insight in the other side’s strategy. Or similar, a bidder in an M&A auction wanting knowledge about competing bids. There is no way to tell at this stage.
Who is behind these attacks?
The unknown group of attackers dubbed ‘Fin4’ by researchers at FireEye are not your typical assailants. In the past, hacker attacks often originated in Asia or Eastern Europe, but not this time.
The hackers are native-English speaking, probably US-based or possibly Western European. The group has a clear background in the financial industry, probably from having worked (or still working??) on Wall Street. They show extensive industry knowledge and know the nuances of financial sector regulatory and compliance standards. In short, this is an attack by financial industry insiders.
Fin4 is believed to have started over a year ago, at least since mid-2013. So they would have had plenty of time to benefit from their illegal activities.
How did they steal the data?
Also different from previous hacking events, the attack was not so much technical but social in nature. Fin4 did not use malware to infect IT systems, but employed sophisticated social engineering tactics.
The group could send dangerous versions of legitimate corporate documents and used expert knowledge on product development, purchasing, M&A and legal issues to obtain user’s e-mail passwords. They focussed their attention specifically on the account details of individuals with insider knowledge on M&A deals, such as top executives, lawyers, consultants, bankers, advisors, etc.
What can you do to protect yourself?
Providers of virtual datarooms have made data security the core of their business model. But this attack shows that is pays to focus on the weakest link in the security chain: the end-user. We recommend end-users be especially mindful when handling confidential information and documents, as users are a key part in preventing both technical and social hacking. We therefore recommend to:
- use strong passwords
- use 2-factor authentication when available
- beware of ‘phishing’ e-mails
- never send confidential documents to (unknown) e-mail addresses
- use a secure virtual data room to distribute confidential information
Meanwhile, the FBI and SEC are reviewing the FireEye report and will try to track down the hackers.