Los Angeles Times (Sunday)
Hackers bring a firm to its knees
Fran Finnegan was on vacation in New York just before the Fourth of July weekend when he received a disturbing text message from one of his customers: How come his website was down?
He quickly searched out a computer to remotely examine his site, which provides access to millions of documents filed with the Securities and Exchange Commission.
There he discovered a disaster unfolding in front of his eyes in real time. Hackers had breached his site’s security and taken over. He watched helplessly as they encrypted all his files, placing them beyond reach.
“As soon as I could, I shut them off,” Finnegan, 70, told me from his San Francisco Bay Area home. “But the damage was done.”
The attack had started the previous weekend, so for four days the hackers had free access, ransacking the raw material of Finnegan’s business like burglars raiding a museum without fear of capture. “I lost everything that essentially makes up my whole operation.”
When the hackers were done, they left Finnegan a message with a skull and crossbones on a sinister black background, reading “Your Files Are Encrypted” and providing an email address to which he could write to learn the cost of a decryption key to restore his files.
It was yet another extortionate ransomware attack, in which hackers effectively kidnap a business’ digital lifeblood and offer to restore it — for a price.
These attacks are becoming almost daily occurrences, though they’re typically aimed at big businesses with the wherewithal to pay a multimillion-dollar ransom (generally demanded in bitcoin or another digital currency).
The targets often have the sort of commercial, political or economic footprint — think hospital systems, universities and government agencies — that makes prompt resolutions imperative.
The most far-reaching attack appears to be the one that hit Kaseya, an information technology company whose clients serve thousands of small businesses, just before the July 4 holiday weekend.
“Ransomware is everywhere,” cybersecurity expert Brian Krebs says. “There isn’t a single industry that isn’t dealing with this problem right now.”
The attack on Finnegan’s site is a twist on what might be considered traditional ransomware, which generally involves the implanting of malicious software in a target system and using it to wreak havoc from within. Finnegan believes that his attackers gained access to his data through a different method, the use of a stolen password.
Finnegan hasn’t reached out to the hackers via the email address they left because he discovered via an internet search that it’s associated with a group accused of taking victims’ money but not delivering a decryption key. So he’s left with restoring his data virtually by hand.
Finnegan’s business, SEC Info, provides his subscribers with access to every financial disclosure document filed with the Securities and Exchange Commission — annual and quarterly reports, proxy statements, disclosures of top shareholders and much more, a vast storehouse of publicly available financial information.
These documents are all available for free directly from the SEC’s website or those of issuing companies. But SEC Info is valuable as a one-stop shop for the data. The service was making more than 46 million documents available, their more than 1.6 billion pages easily searchable.
For now it’s inoperable. Finnegan estimates it may take weeks for him to restore everything to its prehack condition.
Finnegan launched SEC Info in 1997. He had studied computer science at Notre Dame and earned an MBA at the University of Chicago, then spent about a dozen years on Wall Street as an investment banker at E.F. Hutton and First Boston.
“I got bored with that,” Finnegan told me. “Software was much more fun, so I decided to get back into software.”
Then, in the mid-1990s, a sea change came upon the SEC. An insurgent campaigner for free access to government documents named Carl Malamud persuaded the agency to place its EDGAR database of corporate filings online for free, breaking the nearmonopoly then held by the commercial LexisNexis service.
Finnegan was a pioneer in making the database more accessible. “I thought, I know software and I know Wall Street, and I can do a better job than the SEC,” he says, “so I shifted to doing the EDGAR thing, and that’s what I’ve been doing for the last 24 years.” Eventually he became one of the largest third-party vendors of SEC filings.
Finnegan’s database of filings, 15 to 20 terabytes in size, was stored on a pair of large-scale servers at a data center in San Francisco. (One terabyte is the equivalent of 1,000 gigabytes; a digital version of a feature film can take up 1.5 to 3 gigabytes of space.) The two servers were redundant, so if one melted down the other would work as a backup.
“I thought I was covered,” Finnegan says.
The problem was that his fail-safe arrangement had a couple of holes.
One was that the redundancy protected him against a hardware failure by either server, but not a security breach.
The second was more dangerous. When Finnegan originally set up SEC Info, he gave himself administrative privileges so he could manage the system, and protected his access with a password. The password he used, however, was the same as the password he was using for his Yahoo email account.
That password was probably stolen in a massive hack in 2013 that also compromised the names, email addresses, phone numbers, birth dates and security questions and answers of 3 billion Yahoo account holders.
Yahoo had advised its users to change the passwords on their Yahoo accounts, but Finnegan had long since forgotten that he had also used it as his administrative password.
“Had I remembered that I was using a password from 24 years ago,” he says, “I certainly would have changed it.”
As he later discovered, beginning on June 26 his hackers pinged his system 2.5 million times before they finally hit on the right password. He says the firewall logs established that the hacking originated in Russia.
Once the hackers were inside SEC Info, they were able to encrypt everything on both servers — not only the database of documents but also Finnegan’s email system and even his list of users and their contact information.
That means that once SEC Info is back in operation, he won’t be able to proactively inform his customers what happened — he’ll have to wait for them to get in touch with him. There are no indications that his more than 500,000 customers, who he says have included individuals and financial services firms such as Bank of America, Goldman Sachs and JPMorgan Chase & Co., have been placed at risk.
If there’s a saving grace, the hackers weren’t able to breach another set of servers on which he has stored his software for automating the search function and other features of his website.
But other than that, Finnegan says, “I have to re-create everything, and that takes time. I hope it’s not more than a month, but there’s no way of knowing right now.”
He says he doesn’t think the restoration will cost him too much out of pocket, but the toll on his time and the aggravation cost, as well as the loss of users, are incalculable.
Then there’s the question of where to find a remedy to the ransomware frenzy. Finnegan and Krebs both observe that the crime has been facilitated by the rise of virtual currencies such as bitcoin, which are harder to trace than traditional forms of payment.
“The only way this is going to stop is if the U.S. outlaws bitcoin,” Finnegan says. “That would take away the anonymous payment mechanism, and that takes away the incentive.”
In the meantime, the threat is only going to get worse.