The culprits installed malware, bringing the firm's high speed trading to a halt, and redirecting trade information to the hackers' machines.
In 2013, the servers of a large and powerful hedge fund became the target of hackers. The culprits installed malware, bringing the firm's high speed trading to a halt, and redirecting trade information to the hackers' machines.
While BAE Systems Applied Intelligence declined to provide CNBC the name of the hedge fund when they revealed details of the hack on Thursday, this is a worst-case scenario for any large firm. While most corporate hacks go directly for credit card information or personal data (in some cases, pizza topping preferences) this hack aimed for trade details. By stealing trade information, the fund's trading strategy was jeopardized.
Paul Henninger, global product director at BAE Systems Applied Intelligence, told CNBC this was one of the most complex hacks he has seen in the realm of data extraction. "It's pretty amazing. The level of business sophistication involved as opposed to technical sophistication involved was something we had not seen before."
These hackers possessed two kinds of evil genius: the ability to break into a trading system, and knowing how to use the information they found for their own high-speed trading. Henninger has also seen this two-prong strategy used by hackers attacking insurance companies. They would hack into the system, create fake policies, then file claims against them for profit.
For a hedge fund, this undermines the trust of the clients: "It often takes a while for firms to get comfortable with the idea of exposing what is in effect their dirty laundry to a law enforcement investigation," Henninger said. "You can imagine the impact potentially on investor confidence." In the case of this hedge fund, strategies were lost to hackers and the firm lost several million dollars over the course of several months.
While BEA was able to determine the hack was going on and remove the malicious software, the SEC and FBI can also get involved. Henninger was unsure if the hedge fund had reported the attack to these authorities, and the authorities declined to comment.