Could a Nasdaq-style breach happen to you?

Cyber attackers targeting computers used by Nasdaq OMX Group Inc. – the company that runs the Nasdaq Stock Market – apparently didn't gain access to the company's trading systems but did manage to infiltrate its Director's Desk portal, a web-based tool used by directors of companies to share governance information.

According to a statement released by Nasdaq, the company had "detected suspicious files on the U.S. servers unrelated to our trading systems and determined that our web facing application Directors Desk was potentially affected." Nasdaq conducted an investigation, brought in outside forensic firms and U.S. federal law enforcement, and ended up removing the files in question.

Flaws in custom-developed apps

Nicholas Percoco, Senior Vice President and head of Trustwave's advanced security team, SpiderLabs, said the level of the users and type of information shared across the application makes the portal "a pretty juicy target for attackers."

Although noting that Trustwave is not involved in the Nasdaq investigation, Percoco remarked that "web application flaws are common in custom-developed applications. A motivated attacker has infinite time to find these flaws because these applications are maintained on the Internet and can be accessed from anywhere in the world."

Percoco said SpiderLabs frequently finds flaws in client companies' web portals, business intranets and document exchange systems. "If the systems are being developed and used to house sensitive information from high-profile, high-ranking people within companies, you need to make sure that the security controls are very tight and that the security around application development is tight as well," he said.

Delayed notification

Although The Wall Street Journal broke the story about the breach on Feb. 5, 2011, suspicious activity within the Director's Desk platform had allegedly occurred over a period of months, according to a follow-up article by the publication.

The statement by Nasdaq also indicated the U.S. Department of Justice had asked Nasdaq to delay notifying customers of Director's Desk about the breach until at least Feb. 14 to "facilitate the continuing investigation." In light of public revelations about the breach, however, Nasdaq "immediately decided, in consultation with the authorities," to inform customers.

Nasdaq acquired the company that created Director's Desk in 2007 so the application could be used for exchange of proprietary information, such as financial data and planning documents, among "multinationals or any organization with dozens or hundreds of subsidiary boards." It is used by approximately 5,000 board members from hundreds of companies.

No evidence of theft yet

Percoco believes more findings may surface regarding the Director's Desk breach in coming weeks, despite Nasdaq's assurance that there is no evidence customer information was accessed or acquired by hackers.

"You look at the press releases and statements from companies that have been breached in the past, and they all use similar language," Percoco said. "It usually says something to the effect of, 'we have no indication that there was any data loss at this time.' And then a week or a month later, the story changes."

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.