Medical device company St. Jude filed a lawsuit yesterday against Muddy Waters and MedSec Holdings over a “false” report about cybersecurity issues in St. Jude’s cardiac devices. The August report caused the company’s stock to drop more than ten percent on the heels of those allegations and raised questions around a pending $25 billion deal to be acquired by Abbott Laboratories.
The heart of the issue is that MedSec Holdings, which discovered the alleged flaws, did not disclose them to St. Jude; rather, they took their findings to short-selling firm Muddy Waters in order to short St. Jude stock and turn a profit from the public disclosure.
In its lawsuit, St. Jude said, “This insidious scheme to try to frighten and confuse patients and doctors by publicly disseminating false and unsubstantiated information in order to gain a financial windfall and thereby cause investors to panic and drive the St. Jude stock price down must by stopped and defendants must be held accountable so that such activity will not be incentivized and repeated in the future.”
The public battle has been at the center of an ongoing debate over the past two weeks — once again putting the issue of manipulating the stock market via cyber front and center.
Malicious Actors Profit From Stock Market
It’s no secret that malicious actors seek similar types of non-public information that can be used to leverage big profits in the stock market.
Perhaps the most famous recent case involves the theft of press releases from various newswire services. According to an August 2015 complaint filed by the Securities Exchange Commission (SEC), hackers gained access to the services, stole more than 100,000 press releases for publicly traded companies, and then used that information – often quarterly or annual earnings data – to reap over $100 million in unlawful profits.
As we noted in our 2015 Cyber Risk Report, the hackers worked with a network of traders to capitalize on the window between when a draft of a press release was provided and when it was made available to the public. In some instances that window was only a few minutes, but having that knowledge was extremely profitable, as the SEC complaint demonstrated.
Additionally, last summer reports of the hacking group Fin4 breaking into corporate email accounts to steal mergers and acquisitions data sparked the SEC to approach companies about possible breaches.
“The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading,” John Reed Stark, a former head of Internet enforcement at the SEC, told Reuters.
Other cybercriminals have used less sophisticated methods to manipulate stock prices.
In July Gery Shalon, 32, and Ziv Orenstein, 41, were extradited from Israel and pled not guilty to charges that included a breach at JPMorgan Chase, which authorities described as the “largest theft of customer data from a U.S. financial institution in history.” The stolen contact information was used to send deceptive communications in order to inflate stock prices, a practice known as pump and dump.
First, they would execute prearranged manipulative trades to cause the stock’s price to rise small amounts on successive days. Then they would send spam emails — sometimes millions a day — touting the stock. Finally, after artificially pumping up the price, they would dump their shares of the stock for huge profits.
A New White-Hat Shorting Strategy
While cyber-experts have long-pointed to the massive profits criminals can make from combining cyber-attacks with strategies such as shorting, the move towards white-hat hackers doing the same thing has created some concern.
MedSec CEO Justine Bone said she knows the approach they used will lead to criticism, but that it was the most powerful way to inflict pain on St. Jude over the company’s “negligent level of attention to cybersecurity.”
Although many companies have implemented bug bounties in an effort to encourage researchers and other hackers to disclose vulnerabilities in a responsible manner, those programs often don’t come with big payouts or spur the change desired by the person who disclosed the bug. Those players may attempt to copy the MedSec strategy — resulting in more profits and more public pressure to respond to alleged vulnerabilities. That gives yet another reason for investors to be concerned over potential cyber issues.
Medical device consultants Billy Rios and Jonathan Butts told Bloomberg that traders were clearly blindsided and scrambling over this new idea, having been inundated with requests from hedge funds, short sellers and other investors about the Muddy Waters report.
“This is almost like The Big Short,” Butts said. “Someone saw something that nobody else did.”