Now this is getting serious. While hacks into the e-mail accounts of Sony Pictures execs and Hillary Clinton campaign officials may have seemed amusing to bystanders not directly affected, they underscore the fact that we've entered a new and disturbing place.
Protect your financial life from identity theft
By on the other hand, Brad Allen
It's not just that state actors, namely North Korea and Russia, have been identified as the perpetrators of those two hacks, though that's unsettling enough. It's the seeming inability of corporations and governments to protect the most sensitive data from determined digital pirates.
And just because you're neither a movie studio executive nor running a presidential campaign, you're not immune. In recent weeks, we've been treated to headlines reporting brazen cyberattacks that strike closer to home successfully penetrating targets that might have been considered impregnable. First we saw the announcement from the credit reporting agency Equifax revealing that the names, Social Security numbers addresses and birth dates for as many as 143 million Americans was filched along with the numbers of some driver's licenses as well as 209,000 credit card numbers. Recent news reports also suggest that a state actor may be behind the data heist.
Then the U.S. Securities and Exchange Commission admitted that its online corporate reporting database, known as EDGAR, had been hacked. While characteristically tight-lipped about the details, the SEC said it had recently determined that an "intrusion" detected last year into the database that public companies use to file sensitive financial information "was exploited and resulted in access to nonpublic information [that] may have provided the basis for illicit gain through trading."
So half of American adults' identities are potentially compromised and the government agency tasked with protecting the integrity of the financial markets saw some of its most sensitive data compromised. Bad actors are going to go where the money is, and we rely on major institutions and governmental organizations to keep our information secure. But clearly, they're in an escalating arms race with the bad guys and it feels like the bad guys are winning.
So what's an individual supposed to do? Equifax has offered to let consumers know if their data is potentially among the 143 million stolen IDs and offers free credit watch protection, but you have to go to their site to take advantage of it. A recent survey conducted by research firm SSRS found that nearly two-thirds of Americans were concerned about the Equifax data breach but fewer than one in five had gone to the Equifax site to find out if their own information had been compromised.
Consumers Union is among the credit experts recommending that worried individuals freeze their credit rather than instituting a "credit lock," which is the alternative the credit reporting agencies are urging. While each has costs and inconvenience, Consumers Union argues that the credit freeze offers more legal protections.
So who are these bad actors and what do they do with their stolen data? The SEC warned that cyberattacks are perpetrated by "identity thieves, unscrupulous contractors and vendors, malicious employees, business competitors, prospective insider traders and market manipulators, so-called "hacktivists," terrorists, state-sponsored actors and others." Yikes!
The rapid growth of mobile payments and online gift cards has been accompanied by a rising incidence of account takeover fraud, establishing a phony account, purchasing merchandise they can resell and leaving merchants on the hook for the loss, which consumers ultimately end up paying for. But that's not all.
Fraudsters have also hacked into individuals' brokerage accounts. One notorious case involved Igors Nagaicevs, a Latvian national operating out of the Seychelles Islands, who over a 14 month period executed 159 trades in the commandeered accounts. By putting in unusually high buy or sell orders in the hijacked accounts, he manipulated prices in 104 lightly traded NYSE and NASD listed stocks to drive the price up or down. He reaped more than $850,000 in profits in his own account trading against the phony orders, leaving the victimized individuals and their brokers on the hook for more than $2 million in losses.
The SEC finally shut Nagaicevs down but was never able to locate him for prosecution. Several brokerage houses who gave Nagaicevs and other unnamed individuals unauthorized access to the U.S. markets received wrist-slap $35,000 fines. The SEC declined to comment on the case beyond the information in court filings, including how Nagaicevs gained client account access, who the other unauthorized traders were and what they were doing.
While the SEC never spelled out how Nagaicevs gained control of so many individual brokerage accounts, the fraud tracker Patrick Pretty connected the dots, noting that the industry self-regulatory authority, FINRA, issued a warning about identity theft through hacked e-mails the same day the SEC issued its complaint against Nagaicevs.
So guard your password, and the next time your broker makes you take what seem like extra steps, such as calling you to verify a trade order or insisting on two step verification to log on to your online brokerage account, thank them.
Brad Allen is a freelance journalist and former investor relations executive for companies including Imation Corp. and Cray Research. His e-mail is brad@bdallen.com.
about the writer
on the other hand, Brad Allen
The Minneapolis-based retailer lowered its profit outlook for the rest of the year as consumers remain frugal.