
DOJ: Hackers broke into an SEC database and made millions from inside info - djoldman
https://www.cnbc.com/2019/01/15/international-stock-trading-scheme-hacked-into-sec-database-justice-dept-says.html
======
JumpCrisscross
> _The New York Stock Exchange has asked the SEC to consider limiting the
> amount of data collected by the CAT, which would include data on around 58
> billion daily trades, as well as the personal details of individuals making
> the trades, including their Social Security numbers and dates of birth_

Dropping SSNs for natural persons would be a good idea.

~~~
wtvanhest
IMO, everyone's SSN should be public. Mine has already be compromised by both
my undergrad and grad school. At this point, I operate under the assumption
that it is public knowledge for bad actors.

Hiding SSNs is false security at best. If they were public, banks would stop
hiding behind "identity theft" and would start having to acknowledge that its
their responsibility to confirm who they are lending money to.

~~~
rando444
The problem with identity in the USA has always been a religious problem more
than anything else.

All legislation aimed around allowing people to be identified by numbers has
been killed due to the whole "mark of the beast" .. "can't buy sell or trade
without your number" revelations rhetoric.

As religion has less of an impact on people's daily lives, I expect this to
change, but in the past it's been the one thing that's always prevented proper
identity management in the USA.

I am curious to know though, if there are other countries that don't identify
their citizens with a public id number?

~~~
TheOperator
If its primarily a religious problem why do countries less religious than the
US have similar concepts? SINs in Canada, NINs in the UK, etc. etc

~~~
richardw
ID number in South Africa. Assigned at birth, used for opening of any account.
Not considered private at all, can be requested by any company who might want
to check that you are you. Also: ID card with number, photo and details on it,
separate from drivers license.

~~~
bjelkeman-again
More or less the same in Sweden.

------
btbuildem
People make money off advance information all the time. Often you can see that
in the price action -- take this for example:
[https://imgur.com/mJq1OcY](https://imgur.com/mJq1OcY)

Three days before a positive press release, demand pressure beings to drive up
the price. Coincidence? I'm too jaded to believe that.

~~~
starpilot
It's been pretty well established that insider trading is and has been
rampant: [https://www.cnbc.com/2018/02/14/insider-trading-is-still-
ram...](https://www.cnbc.com/2018/02/14/insider-trading-is-still-rampant-on-
wall-street-two-news-studies-suggest.html)

~~~
latch
There's also a not insignificant number of economist who think it would be
better if it was legal.

Insider trading laws remove information from the system. A common argument is
that Enron could have never Enroned without the help of insider trading laws.

The big winner here is Wallstreet because the information asymmetry still
exists, and they now have the most knowledge that can legally be acted upon.
(plus they can act on illegal knowledge and it's much harder to prove than
anyone else acting on it).

~~~
sverhagen
Layman wondering here: would legal inside trading not encourage the few with
the inside knowledge to themselves exhaust the benefit that is to be had from
the information, at the expense of everyone else? Including shareholders?

~~~
latch
(1) is the best [i think] unbiased analysis I've seen on the subject that
tries to look at it from many points of view.

It seems very complicated, and I don't _really_ understand. But it seems like
in either cases (legal or illegal) the people who benefits and those who
suffers is going to change in every case. For the average investor, in some
cases having more efficient stock prices would be a benefit, in other cases,
the added information asymmetry would be a unfair.

Three points:

1 - Companies could still ban insider trading if that proved more efficient
for them. If liquidity was low because insider trading was allowed, they could
disallow it. The reverse is also true. So at least companies would have the
choice (and investors would also have the choice of where to invest).

2 - While an insider could equally benefit from good and bad news, they are
still incentivized towards positive results (salary, bonuses, keeping their
job, reputation)

3 - My real problem with making insider trading illegal is that it's
completely impossible to enforce consistently and fairly. This adds
uncertainty (how much insider trading is going on in your current
investments?) I think insider trading only applies to buying/selling, but what
if someone has insider knowledge that causes them to NOT take an action. That
seems as unfair but can't be enforced..

(1)
[https://www.frbatlanta.org/-/media/documents/research/public...](https://www.frbatlanta.org/-/media/documents/research/publications/economic-
review/1997/vol82no4_hu-noe.pdf)

------
hkmurakami
Related reading: today's Matt Levine piece on how hard it is to make money
even with this info.
[https://www.bloomberg.com/opinion/articles/2019-01-16/even-c...](https://www.bloomberg.com/opinion/articles/2019-01-16/even-
cheaters-don-t-always-win)

~~~
AznHisoka
They make successful trades 77% of the time they had insider information and
45% when they didnt. That clearly is an advantage.

I would never expect a 90% success rate because of how random Wall Street is,
but 77% over a period of time definitely is an advantage.

~~~
cheeze
That's a _huge_ advantage. Counting cards in blackjack gives a 50.5:49.5 edge
(roughly, there are variables). 77% is absolutely _crushing_ it.

------
roadkillon101
I'm more curious about how they hacked into the SEC database? Did they use an
email trojan? Exploit an existing flaw or backdoor? If they did this via
e-mail, who did they send the mail to?

~~~
tgragnato
The SEC’s complaint alleges that Ieremenko circumvented EDGAR controls that
require user authentication and then navigated within the EDGAR system.

Looks like a way to say “exfiltrating data from the endpoints”.

------
eggie5
This isn't hard to believe if you've worked w/ the Edgar system!

~~~
jefe_
Not a security complaint but an annoying experience with the system:

Sat down one Saturday to create a database for their Financial Statement and
Notes data set [https://www.sec.gov/dera/data/financial-statement-and-
notes-...](https://www.sec.gov/dera/data/financial-statement-and-notes-data-
set.html)

Located documentation, thought okay this shouldn't be too bad. Ended up taking
one day to understand the structure and another to implement the system.
Finally got everything loaded in my tables and spot checked against the
rendered versions on their website only to discover they truncate the most
important text field. It's technically in the documentation that the value
field is limited to 2048, but it's also in the documentation that the value
field is for 'text analysis applications' and their website literally says:
'The information is presented without change from the "as filed" financial
reports submitted by each registrant...' so I managed to gloss over this
detail until I had already spent and entire weekend working on it.

I just can't wrap my mind around how they got 99% of the way there and then
decided, 'hey lets just truncate this field, it's only the entire purpose of
this dataset.'

~~~
elliekelly
> I just can't wrap my mind around how they got 99% of the way there and then
> decided, 'hey lets just truncate this field, it's only the entire purpose of
> this dataset.'

I'm willing to bet this is because they haven't made any significant changes
to the system since it was implemented in 1996.

------
danaos
Former discussion with backstory of the Ukrainian case:

[https://news.ycombinator.com/item?id=17831975](https://news.ycombinator.com/item?id=17831975)

------
zeveb
The fact that the SEC can't secure this sort of information is an _excellent_
argument against key escrow and government backdoors into crypto systems: it's
completely impossible to prevent leakage or theft of that sort of incredibly-
valuable information.

------
lambdasquirrel
How did they do this and only make a few million?...

~~~
ghayes
Matt Levine discussed this topic in Money Stuff today:
[https://www.bloomberg.com/opinion/articles/2019-01-16/even-c...](https://www.bloomberg.com/opinion/articles/2019-01-16/even-
cheaters-don-t-always-win)

Long-story short is that it's not always obvious how the market will react to
releases. Some of the hackers only traded with a ~70% win-rate after holding
the releases.

~~~
AznHisoka
70% is still very very high. They didnt make billions because they probably
started with little capital.

~~~
zorga
70% is extremely high, you can easily get rich with a 51% advantage and making
enough small bets to invoke the law of large numbers.

~~~
lambdasquirrel
That, and depending on the companies they got data on (i.e. any number of
widely traded stocks with large market caps), they could have had a LOT of
volume to play with. This is a big deal and it's mind-boggling that the breach
happened.

------
CedarHill
Seems vaguely similar to another Insider Trading case relating to Slavic-
descent and Marketwire:
[https://www.bloomberg.com/news/articles/2018-07-06/pastor-
co...](https://www.bloomberg.com/news/articles/2018-07-06/pastor-convicted-in-
international-hacking-insider-trading-scam)

------
bredren
Pending public publishing seems to be a common liability for unwanted content
disclosures.

Apple struggles with this with almost every product release.

------
snissn
That's pretty smart

------
da_chicken
So, basically, Trading Places but online?

------
gene_vache
> Hackers broke into an SEC database and made millions from inside info

Given the thirty minute window between copying the file to the server and the
SEC posting the URL, I figure they guessed the URL from an easily predicted
sequence.

------
gammateam
> said the same criminals also stole advance press releases sent to three
> newswire services

Yeah I remember the charges against those people too

Basically newswire services get hacked and people get the earnings reports
beforehand

SEC gets hacked and people get the earnings reports beforehand

I think public resources shouldnt be spent on that. Prosecute the hacking but
just drop the “trading on material non public information but only in the
equities capital markets and only when there is a duty from the source to keep
things nondisclosed” sanctions. It is so narrow but extremely expensive to
prosecute, has with little efficacy in stopping the behavior, and incorrectly
effects the collective conscious on what can be traded and when. People at
this point think its actually illegal to have a trading advantage in any
context

~~~
rocqua
Insider trading is a balance.

On the one hand, we want market prices to be accurate. This means we want
people with material information to trade on that information.

On the other hand, we need some fairness in a market. This is mostly to ensure
people keep trading. In a world were inside-info is commonplace, trading
without it is just stupid. This would cut off a lot of people from investing.

The line needs to be drawn somewhere. The US approach of insider trading
requires a broken 'duty to keep secret' isn't nice, but considering the above
trade-off I think it is better than "All non-public information is off-
limits". Especially because it captures the 'most disruptive' form of insider
trading: people who work at a company that is getting acquired / going
bankrupt.

~~~
JumpCrisscross
> _On the other hand, we need some fairness in a market_

American insider trading law has nothing to do with fairness. It is based on
theft of information. In this case, the hacker’s stole information from the
SEC that belonged to the reporting companies.

(This is a commonly misunderstood alley of securities law.)

~~~
ben509
That's interesting. I was digging around, and this piece[1] goes into detail,
but early on they summarized the rationale for insider trading laws.

"One objection is that it violates the fiduciary duties that corporate
employees, as agents, owe to their principals, the shareholders (Wilgus
1910)."

That supports the theft formulation.

"A related objection is that, because managers control the production of,
disclosure of, and access to inside information, they can transfer wealth from
outsiders to themselves in an arbitrary and hidden way (Brudney 1979; Clark
1986)."

Again, supports the theft formulation.

"The economic rationale advanced for prohibiting insider trading is that such
trading can adversely affect securities markets (Khanna 1997) or decrease the
firm’s value (Haft 1982)."

This seems like the fairness argument, though.

[1]:
[https://www.econlib.org/library/Enc/InsiderTrading.html](https://www.econlib.org/library/Enc/InsiderTrading.html)

~~~
jessaustin
_it violates the fiduciary duties that corporate employees, as agents, owe to
their principals, the shareholders_

Insider trading regs, as currently enforced in USA, get this exactly
backwards. Senior C-suiters are not prohibited from trading their firm's
stock. They only have to carefully choreograph that trading with respect to
other events. They get as much advance time as they need to do this, and as
much professional help as they (or the firm) can afford. They get all this
time to scheme and pre-arrange, precisely because insider trading laws exist
to hammer the lowly middle managers who would like to do their own trading on
inside information.

The sooner trading based on information occurs, the sooner that information is
public. The effect of these regulations is to keep secrets and make misguided
investment more likely. All executives of a public corporation are in a
conspiracy against the investing public. Insider trading laws function
precisely to punish defectors from that conspiracy. This defection should
rather be encouraged, so these are yet another set of laws the effect of which
is entirely backwards from their supposed justification.

------
flatfilefan
Do the journalists believe Lithuania and Ukraine still somehow belong to
Russia? I can’t see any explanation in the article on how was Russia involved.

------
illgenr
Is there a reason why all SEC filing shouldn't be immediately publicly
available?

~~~
airstrike
Because markets are built upon the assumption that time is discrete, not
continuous.

~~~
quickthrower2
But.. is it continuous?

~~~
zorga
In theory yes (Einstein) though we know this theory is wrong at the small
scale so in reality probably not given what we know of quantum mechanics.

------
jaimex2
I take it they would have gotten away with it if they did it from Russia?

