Expedia Hacked By Its Own Employee, a case study

Pierluigi Paganini December 14, 2016

The Expedia employee, John Ly, is accused of hacking into executives computers to access corporate confidential information.

Its no secret, cyber criminals are constantly looking towards greener pastures – money green that is. The most sought pastures…. insider trading and market manipulation. It’s a perfect storm scenario with almost everyone losing but the hacker. Luckily regulators are very well aware, dedicating massive resources to detect and deter such fraud. A recent case pursued by the SEC paints a small picture of how these frauds are evolving. It also demonstrates their determination in pursuing these cases.

Last week the SEC published the results of its investigation against one of Expedia IT specialists. The employee, John Ly, is accused of hacking into executives computers to access corporate confidential information.

Over a 3 year span from 2013 to 2016, Ly was able to exploit his managerial role, access privileges and credentials to hack executives’ computers which contained unreleased financial reports that included earnings and market reaction  opinions. All cyber criminals wear cloaks, usually multiple cloaks – when those criminals are employees their concealment can be misleading.

In this particular case, the Expedia employee attempted to mask himself by using stolen credentials and passwords belonging to other employees.

All cyber criminals wear cloaks, usually multiple cloaks – when those criminals are employees their concealment can be misleading. In this particular case, Ly attempted to mask himself by using stolen credentials and passwords belonging to other employees. The earnings reports that were obtained were then used to trade on, prior to their release. In all, Ly was able to execute a total of 9 trades, most under 50k, and the largest at almost 120k, netting him an approximate profit of 350k. A nice pay day for 3 years of work, but pretty minuscule in the grand scheme of things. When the scheme was eventually discovered (by Expedia), they immediately reported it to the FBI. After an SEC investigation, Ly was ultimately charged with violating rule 10-b and 17-a of the SEC Act.

This is not the first case of cyber-related insider trading/market manipulation. The largest case of its kind was a large scale breach committed by FIN4 which saw a team of foreign hackers accessed corporate nonpublic information from sites like PRNewswire.

Those reports were then traded on through a systematic network, prior to release, for an estimated profit 100 Mill. In a separate attack, hackers were able to employ a targeted spear phishing campaign to access (and weaponize) information on upcoming mergers.  This case does, however, contain some unique characteristics. It is one of the first reported cases of an IT director committing an inside hack with the intent of insider trading, effectively demonstrating that insider trading is not limited to fraud perpetrated by outside actors.

This really applies to cyber crime in general. Organizations can all too easily get overly caught up with implementing digital cyber security controls to shield their networks from outside intrusions while overlooking the human element and  cyber/crime risks sitting next to them.  Accordingly, companies should be employing training and controls to identify suspicious internal/employee behavior. Lastly, this case also demonstrates that the SEC is paying close attention, aggressively investigating and pursuing even seemingly smaller cases.

Expedia

In reviewing the sequence of events, it is important to note the degree to which internal control failures may have contributed. For one, the IT professional was able to utilize passwords of employees with seemingly, a certain level of ease. Controls that require employees to change their passwords after working with any IT professionals or flag suspicious behavior could have helped minimize or eliminate such unauthorized usage. Secondly, the employee was able to continue this fraud even after being let go, via a secretly kept company laptop. Something such as a kill switch to cut off remote access from the company issued, mobile devices, also could have helped minimize the damage. Sure, this is all easy to say in retrospect and we don’t mean to sound like a Monday morning quarterback, but rather we address these concerns simply to raise awareness for organizations looking to build more robust controls. Lastly, the fact that this scheme was perpetrated over a period of 3 years, with a total of 9 trades, is an important detail in order to highlight just how long intrusions remain undetected. In this particular

Lastly, the fact that this scheme was perpetrated over a period of 3 years, with a total of 9 trades, is an important detail in order to highlight just how long intrusions remain undetected. In this particular case, the damage surmounted to 350k, and in large part, that alone may be a key reason for having gone undetected as long as it did…however, it should go without saying that the damage could have be considerably more severe. The fact the hacker was also an employee in this case, undoubtedly contributed to the long duration-to-discovery.

These types of insider trading security events can inflict significant damage. To start, the costs to comply with a prolonged regulatory investigation can be severe – from e-forensics to document production to defense costs. More frightening however is the potential for following shareholder/investor litigation following a stock drop. These claims will often assert negligence and/or failure to implement adequate security controls to prevent such an event. The fact that this fraud was perpetrated over a 3-year span is troubling. It can often be easy for companies to relate all cyber losses back to a cyber insurance policy, however, there is often a bigger picture that needs to be addressed. We briefly address insurance, because when intrusions such as these occur, the initial reaction (understandably so) is to look to the underlying insurance carrier for indemnification. Companies instinctively looking to their cyber insurance carrier would mostly be looking in the wrong direction. Cyber policies regularly contain broad “securities” exclusions which eliminate any coverage. The fact that the fraud was committed by an employee creates an additional barrier to coverage since most cyber policies are worded to provide coverage for intrusions by “outside” actors. Much of these damages, however, can be insured against through a well-structured Directors and officers insurance policy which extends coverage for CISOs, and CTOs that also might be named in a lawsuit. This is particularly true for public companies for whom D&O insurance is an absolute must to protect against these exact claims. Whole there are many lessons to be learned here, this is just one case, of likely many to come, demonstrating how security failures can result in “securities” fraud.

About the Author Evan bundschuh

Evan bundschuh is vice president and commercial lines head at GB&A, an independent insurance brokerage located in New York focused on insurance programs and risk management solutions for tech companies, financial & professional services, manufacturers and product-based businesses. As an RPLU with 15 years of industry experience, Evan assists clients with insurance program coordination and client-side advising on Directors & Officers (D&O), Professional Liability (E&O) and Cyber Insurance, and is a contributor on the topics of cyber risk.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Expedia, insider)



you might also like

leave a comment