Earlier this year, there were reports that an online application hosted by Nasdaq to share board information may have been hacked. At the time, there was apparently no evidence that customer information was accessed in the unauthorized entry.
Now Reuters reports that this optimistic scenario may not be the case, as a form of malicious software may have been installed that permitted actual board information to be viewed, including “confidential documents and the communications of board directors.”
This has happened before, when some parties penetrated defense contractor systems, and bypassed the commonly used RSA key fobs in the process.
One of the most sinister aspects of these episodes is that they are very hard to detect by common staff members using typical security means. You don’t know what you don’t know.
The good news is that most online applications aren’t of interest to these unsavory cyber-characters. Sort of the “hiding in plain sight” scenario. And everything these days is “in the cloud” to some extent. Indeed, some of these incursions may be state-sponsored.
What these reports do show is to be careful about who you use, and what you place on their systems. In addition, listen carefully to what they say about data protection, and lean in to the conversation when you hear things like “highest levels” of security or “enterprise grade” protections. Those may either be true or just be marketing copy that was never shown to their IT staff.
If the most sophisticated companies (like global financial institutions and major defense contractors) can be hacked, then it seems that anyone can.
And after all, when we used to send board books out by FedEx, they got there on time, but all someone had to do was open the envelope.