Following the recent carbon trading market hack, it was no surprise to hear that a Nasdaq hack has followed suit.
Nasdaq has been the target of regular penetration attempts in recent years. The good news is that a subsidiary service was compromised and not the exchange system itself. More worrisome is the realization that there is no national law or international continuity on reporting security breaches.
About the attack itself: This appears to have been an attack via RFI (remote file inclusion). Here is how Nasdaq described it in a statement:
We detected suspicious files on the U.S. servers unrelated to our trading systems and determined that our web facing application Directors Desk was potentially affected. The files were immediately removed and at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers.
Nasdaq’s description plays down the attack, which was the result of nodes being hacked apparently in the Baltic region of Europe. But RFI and related XSA (cross server attacks), as well as RCE (remote code execution, i.e., MALFI), are serious penetrations. These often act as precursors to DDoS (distributed denial of service) attacks, such as those that occurred in the carbon trading market.
The Nasdaq attack was specifically aimed at the exchange’s Director’s Desk program, which allow directors of major companies to share information, often to help them with drafting upcoming earnings releases and company reports. The Director’s Desk has a wealth of insider information.
One report of the Nasdaq attack in Daily Finance made me sit up and take note:
Had the exchange been located in California, it would have been forced to report these penetrations immediately to all affected customers due to the Golden State's laws covering data-security breaches.
While many states have similar rules on breach notifications, there are significant differences that illustrate the difficulty of any interstate coordination. In all fairness to any enterprise, reporting or classifying breaches is fraught with difficulties, especially when the breach is in one state and the customers affected are in other states.
Even more confusing, according to the National Conference of State Legislation (NCSL), a bipartisan organization that serves the legislators and staff of the US states, is that 45 states have enacted data breach notification laws. However, security breach-related legislation was enacted only in five states and introduced in at least 18 states in 2010, so that leaves 27 states still to consider security breach legislation.
Added inconsistencies are evident in the time allowed to “notify customers of a breach of personal information,” which ranges from “Immediately” (Connecticut) to “As soon as possible” (Texas). Not all states impose civil or criminal penalties for failure to promptly notify customers of a breach, and although California has its “Golden State Laws,” it has no sanctions in place against organizations lax in their notification time scales.
Data disposal laws fare even worse, with only 29 states mandating specifics for the disposal of personal data held by businesses and/or governments, according to NCSL. Last month, the Identity Theft Resource Center (ITRC) issued figures for 2010 that showed 662 recorded major breaches and called for a “mandatory US national reporting system.” The report said data breaches were under-reported due to the lack of reporting requirements.
The US has been a forerunner in advocating international laws on cybercrime and data breaches; but this particular attack again emphasizes the complete lack of continuity in reporting and in making customers aware of how they may have been affected.