The U.S. Securities and Exchange Commission (SEC) has contacted at least eight public companies seeking information on data breaches as part of an investigation into the FIN4 hacker group, Reuters reports.
FIN4, which targets top executives, legal counsel, scientists and researchers at public companies with the aim of breaching their email accounts in order to access insider data, was first exposed by FireEye in a report published last year.
“FireEye believes FIN4 intentionally targets individuals who have inside information about impending market catalysts — events that will cause the price of stocks to rise or fall substantially in a short period of time,” the report stated.
Approximately two thirds of the companies targeted by FIN4 are healthcare and pharmaceutical companies, according to FireEye, due to the fact that stocks in those industries can move dramatically in response to news of clinical trial results, regulatory decisions, or safety and legal issues.
John Reed Stark, former head of Internet enforcement at the SEC, told Reuters it’s an “absolute first” for the SEC to contact companies seeking more information on data breaches in connection with insider trading.
“The SEC is interested because failures in cyber security have prompted a dangerous, new method of unlawful insider trading,” Stark said.
A source with knowledge of the investigation told Reuters that the SEC has asked affected companies for information on breaches or attempted breaches, as well as information on spear phishing tactics used by attackers.
Phil Barnett, vice president and general manager, EMEA at Good Technology, told eSecurity Planet by email that the news of the SEC’s investigation once again demonstrates how insecure email accounts can be a gold mine for hackers. “Unless businesses take responsibility for the security of their data, across all devices, they are leaving themselves exposed and vulnerable to attack,” he said.
“Such cyber threats must be tackled head on with a combination of containerization of information and employee education,” Barnett added. “Highly regulated industries require stringent security policies, but threats such as these bring into question their effectiveness.”
Source: eSecurity Planet