Hiltzik: real losses from ransomware

When extortionists attacked his business last June, encrypting all his data and operating software and sending him a picture of a skull and crossbones and an email address to find out the price he would have to pay to restore it all, Fran Finnegan thought that it would take him weeks to restore everything to its pre-break-in state.

It took him over a year.

Finnegan Service, SEC Informationreturned to the network on July 18. The past year has been one of brutal 12-hour days, seven days a week, spending tens of thousands of dollars (and a much bigger loss in subscriber payments while the site was down).

The amount of detail I had to deal with was just excruciating… Because I lost everything.

— Fran Finnegan, SEC Info

He had to buy two new high-performance computers or servers and wait for his supplier, Dell, to deal with the shortage of computer chips after the pandemic.

Meanwhile, subscribers who paid up to $180 a year for his services were falling away.

Finnegan estimates that up to half of his followers may have deleted their accounts, causing him to lose six figures in revenue for the year.

He expects most of them to return once they know SEC Info is up and running, but hackers have destroyed his customer database, including email contacts and billing information, so he has to wait for them to actively recover their accounts.

To get SEC Info back online, Finnegan had to painstakingly restore software he had written over the previous 25 years and reinstall a database containing about 15.4 million SEC corporate documents dating back to 1993.

It was truly a heroic effort, and everything was in his hands. Finnegan has been working under intense, self-imposed pressure to keep his service running the way it did before the attack.

“The amount of detail I had to deal with was just excruciating and very frustrating – I thought, ‘I’ve done it all before and now I have to do it all again.’ Because I lost everything.”

About halfway through, a few days before Christmas, he had a stroke – a mild one, manifested by a series of falls, but without any cognitive impairment – which he attributes to the stress he was under.

As I told last year At the start of the Finnegan Trial, SEC Info provides subscribers with access to all financial disclosure documents filed with the Securities and Exchange Commission—annual and quarterly reports, proxy statements, disclosures of major shareholders, and more—a massive repository of publicly available financial information. , presented in a searchable and uniquely well-organized format.

The website looks like the product of a team of data scientists, but it’s a one-man shop. “This is my business,” Finnegan, 71, told me. “I’m the only guy. Nothing will happen if I don’t do it myself.”

With a degree in computer science and an MBA from the University of Chicago, as well as nearly a decade on Wall Street as an investment banker and several years as an independent software developer for large corporations, Finnegan founded SEC Info in 1997.

Page on the SEC Info website.

Back in business: A year later, SECInfo.com is online and has recovered from a ransomware attack in 2021.

(SECInfo.com)

The Securities and Exchange Commission has made its EDGAR database available online for free after recognizing that it will allow entrepreneurs to offer many innovative formats and related information services.

Finnegan was one of the pioneers in this area and eventually became one of the largest third party providers of SEC documents.

Finnegan’s experience opens a window into the little-reported consequences of ransomware—the impact on small businesses like his that don’t have teams of data scientists to mobilize in response, or a footprint big enough to get help from federal or international law enforcement agencies.

Ransomware attacks, in which attackers steal or encrypt victims’ online access or data and demand payment to restore access, have increased in recent years for several reasons.

One is the explosive growth of capabilities: more systems and devices are connected to cyberspace than ever before, and a relatively small percentage are protected by effective cybersecurity measures.

Data thieves can use an ever-expanding arsenal of off-the-shelf tools that “make launching ransomware attacks almost as easy as using an online auction site.” according to Palo Alto Networks, which sells cybersecurity systems. Some ransomware entrepreneurs are “offering ‘starter kits’ and ‘support services’ to would-be cybercriminals…accelerating the speed at which attacks can take root and spread,” Palo Alto reports.

The emergence of cryptocurrencies may also have contributed to these attacks; criminals typically demand payment in bitcoin or other virtual currencies, apparently on the assumption that it is more difficult for authorities to track such transactions than transactions using dollars. (This could be false assumptionas it turns out.)

The scale of the ransomware threat is difficult to estimate, in part because most estimates come from private security firms, who may have incentives to maximize the problem and come up with different numbers anyway.

What seems clear is that the problem is getting big enough to attract attention. White House and international agencies.

Attacks on large enterprises attract the most attention. In 2021 according to a list of 87 attacks compiled by Heimdal SecurityAmong the victims were the consulting firm Accenture, audio company Bose, the National Treasury of Brazil, Cox Media, Howard University, Kia Motors, the National Rifle Association. and the University of Miami.

Health care facilities have long been prime targets. Last year, Scripps Health, a non-profit operator of five hospitals and 19 outpatient clinics in California, had to transfer of patients with stroke and heart attack out of four hospitals and closed trauma centers in two.

Personnel has been blocked in some data systems. The attack was estimated to have cost Scripps at least $113 million.

Finnegan’s attack was too small to be included in these lists. But for him it was a life-changing event.

The disaster began with a massive data breach at Yahoo that happened in 2013, but Yahoo didn’t disclose it until 2016. Hackers have stolen the email passwords, phone numbers, dates of birth, secret questions and answers of 3 billion Yahoo users, including Finnegan.

Finnegan followed Yahoo’s advice and changed the passwords on his Yahoo account, but forgot that he used the same password to access his SEC Info administrative privileges.

This might not have been a problem if it wasn’t for the fact that last summer, before leaving for a week-long vacation, he activated the digital access port to monitor his system from afar.

His old password was a ticking time bomb in the hands of anyone with access to the stolen Yahoo data. Since June 26 last year, hackers have pinged his system 2.5 million times using stolen Yahoo passwords and finally found the right one.

“They were lucky,” he told me. “If they had tried a week earlier or a week later, they wouldn’t have been able to get in.”

Finnegan didn’t know his system had been hacked until a subscriber asked him in a text message why his website was down. When he logged in remotely, he could only watch helplessly as the attackers encrypted all of his files.

Finnegan believed he had an adequate backup because his data was stored on two servers, high-powered computers housed in a San Francisco data center. It was protection against the failure of any of the servers, but not against a hacker using his password.

He briefly considered how to respond to the hackers, but a quick Internet search turned up reports from other victims reporting that they had paid a ransom without receiving a decryption code.

Even if the hackers decrypted Finnegan’s data – which is more than 15 million SEC documents – they corrupted his working software, which could not be restored using decryption.

So Finnegan set about rebuilding his system. Luckily, about 90% of the documents were stored on external drives in his San Francisco home, were offline and therefore out of reach of hackers.

But these were old documents from before 2020, the latest data on saved discs. The remaining 10% were destroyed – more than 1.5 million documents.

It took two months to download the latest documents from the SEC because the agency limits the download speed from its database so that access cannot be monopolized by large users.

The bigger challenge was to recover all the programs Finnegan had written over the years to parse the SEC data and make it usable by his subscribers in a myriad of ways.

“Some of it goes back 25 years and you forget things,” he told me.

First he says, “I thought I’d just get the data, run it through the parsing engine again, reconfigure everything, and you’re done.” He encountered a phenomenon described by former IBM software executive Fred Brooks in his classic book. “Mythical Man-Month”: Software projects always take longer than anyone expects and always miss deadlines.

And so the weeks stretched into months. Finnegan posted his recovery date online and skipped it. “It got to the point where I stopped making predictions because when I didn’t, I felt like an idiot.”

By June, however, “I saw the end of the tunnel,” he says, and predicted a return on his birthday, July 1st. He still wasn’t ready, so he posted a rebuild date on the internet – July 15th – and finally played on July 18th.

This time, Finnegan patched up the security holes that allowed attackers to brutally crack down on his business. He gets almost real-time backups of his data and stores them offline and without an Internet connection, making it much more difficult to access his system remotely.

Finnegan still has a few tasks to complete to make SEC Info work exactly like it used to, but they include features that only a tiny minority of subscribers will ever use. He is confident that he will no longer have to face this disaster.

“I’m pretty sure I won’t get hit again,” he told me. I heard a moment of doubt in his voice, but then confidence returned to him. “No, no one else will go in there,” he said.