Heartbleed bug may have caused insider trading, says web security expert

 

Click to follow
The Independent Tech

Insider trading may have caused a slide in the share price for Amazon, Yahoo! and other major tech companies in the days before the Heartbleed security bug was made public, a leading web expert has claimed.

The Heartbleed bug, discovered in early April, allowed attackers to steal personal data from computers using vulnerable version of some popular security programmes.

Shares in Amazon, Yahoo!, Microsoft, HP, Dell, and Google all slid in the days before the public acknowledgement of the bug. Yahoo! stock fell by nearly 10 per cent but recovered almost as soon as news of the vulnerability broke.

Bill Buchanan, a professor at Edinburgh Napier University specialising in electronic crime and online security, told academic research site The Conversation that early warning of the bug’s existence was most likely given to the companies affected by security authorities.

This would give them time to allow their systems to combat the “day zero” threat, where hackers would gang up to exploit vulnerabilities.

Buchanan wrote: “It could be that this information was also leaked to insiders who then sold their stocks in the major IT companies, waiting for a time to repurchase them at a tidy profit.”

“One thing that would certainly be well known to traders is that a news item can push down a company’s stock price, only for it to recover after it blows over.”

Stock prices fell by between three and 10 per cent two days before the news of the Heartbleed bug broke worldwide on 9 April, but by then the shares of the major tech companies had already returned to normal levels.

“Some traders may have done well from the rises and falls during the crisis,” Buchanan wrote. “The evidence suggests that there could have been some insider trading taking place in the days before the story became big news.”

Although the companies should have announced the problem to the stock market as soon as they became aware, “this series of events probably illustrates the limits of the duty on companies to disclose: when matters of national security are at stake, the rules may not be so rigorously applied,” Buchanan concluded.

Tonight, the Royal Opera House said it was the latest organisation to be hit by the bug and urged web ticket-buyers to change their passwords as a precaution.

In a message to customers, the ROH said: “The bug has partially affected one of the technologies that the Royal Opera House website uses, although we have no reason to suspect that the Royal Opera House website was compromised and our servers have been updated to fix the issue.

“We fixed the issue as soon as it was published, and have been working to ensure our website is as secure as possible.”

The bug did not affect credit card details because “credit card information is managed using a different technology”.

Comments