Security Experts:

Reuters Accused of Omitting Disclosures in NASDAQ Breach Reports

Reuters Continues to Highlight Past Security Failures of NASDAQ Product While Failing to Disclose it Offers a Competing Product

10:51 AM - Updated with comment from Reuters

Reuters recently published two stories related to a 2010 NASDAQ security breach, which seemingly recycle data from an original report on the incident earlier this year. Similar cybercrime stories have also mentioned the NASDAQ incident, painting a less than flattering picture of the security posture related to a product offered by the exchange.

NASDAQ Challenges Reuters on Disclosure's Related to Competitive ProductsLast Thursday, citing anonymous sources connected to the FBI’s probe into the matter, Reuters published a report saying that “lax security” – including misconfigured firewalls, out-of-date software, and missing security patches – allowed attackers access to NASDAQ systems during the breach. For example, the anonymous sources told Reuters that servers running Windows 2003 were not properly updated, thereby missing the security fixes that prevent targeted attacks.

The breach in question relates to NASDAQ Directors Desk, a solution to help board members communicate and collaborate securely. The company says the solution is used by more than 10,000 directors around the globe.

In October, Reuters reported that malware that had worked its way into the computer systems that power the Directors Desk platform, allowing attackers to monitor business leaders using the system. Again, the sources cited for this story were familiar with the investigation, but chose to remain anonymous.

The two NASDAQ related reports, as well as five other stories that mention the incident, failed to disclose an interesting point: Thomson Reuters offers a competing product to NASDAQ’s Directors Desk, and based on comments from NASDAQ recently emailed to customers, Thomson’s product is losing ground.

The recent reports from Reuters offered little new information, as both the security issues and the fact malware was discovered on the Directors Desk system were assumed and disclosed in February of this year. So, are the follow-up stories a business attack against a competitor? Not really, but something seems off.

Because the additional stories from Reuters single out the problems that allowed the breach, reporting them is newsworthy. In fact, while security issues were assumed, Thursday’s report actually confirms what many in the InfoSec community already expected.

The discovery of weak security and the reporting of malicious software on systems connected to Directors Desk, were both undisputed by NASDAQ.

According to a letter sent to NASDAQ customers and obtained by SecurityWeek, “After the attack, our customers rightly questioned our security. Since then we have made substantial investments to implement additional cutting-edge security enhancements, thereby outpacing our competitors and bringing our security to an industry leading, military-grade level.”

“Our achievements in security are not lost on our new and existing customers. In fact, in the last 12 months, we have increased sales of Directors Desk by 52% and the number of new users increased by more than 170,” the letter adds.

NASDAQ’s Directors Desk streamlines the communications process and requirements for company board members. Its direct competition from Thomson is BoardLink, another web-based platform designed for communication.

With this in mind, it is entirely possible to assume that the constant mentioning of the NASDAQ attack, and the lack of disclosure about Thomson’s competing product, is a business move.

NASDAQ

The lack of disclosure is something that NASDAQ finds “a bit curious.”

“[We] find it a bit curious that Reuters failed to disclose in all their articles that they are one of our biggest competitors. Interestingly, over the last year we have replaced more than 150 Thomson Reuters’ systems and those numbers continue to grow. Their sales force has used these articles, which quote unnamed sources, to try to stop the losses; a point we find very disturbing. We would never accuse Reuters of unethical behavior, but we think it’s important for you to understand the context of these articles,” the NASDAQ letter continues.

An important note to make, and one that must be stressed, is that the reporters who wrote Thursday’s story on the NASDAQ breach, and presumably the others focused on the event, reportedly told NASDAQ that a statement of disclosure about the competing product was included by Reuters reporters.

Joe Christiant, VP of Corporate Communications at NASDAQ, told SecurityWeek in an interview that he had spoken with Reuters reporters, and was assured that a disclaimer would be included in the report. “One of the reporters working on the story told me that there was a disclaimer in the article referencing the competing product. Unbeknownst to the reporter, when the article ran, the disclaimer had been removed,” he said during a phone conversation Friday afternoon.

If the reporters included the disclaimer, why was it missing in the final print? That call likely came from higher-ups in the organization. In news organizations such as Reuters, reporters typically turn their copy into an editor, who has people above him/her that may require that the copy be passed along before it is printed. The point being, in large media organizations, once the reporters hand the story off, they often have little say in the final release.

SecurityWeek is in touch with Thomson Reuters, and is waiting for an official statement in reaction to the NASDAQ letter, and on Reuter's policy on disclosure. This story will be updated when an official statement is received.

Update 10:51 AM with comment from Reuters: "We didn't believe a disclosure was germane because the story was focused on the FBI's probe of the matter," a Reuters spokesperson told SecurityWeek. "When NASDAQ requested a disclosure post-publication, we did update the article." The most recent story on the NASDAQ Breach from Reuters was updated with the following disclosure, post publication: "Thomson Reuters Corp, the parent of Reuters News, sells a product known as BoardLink that competes with Directors Desk."

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.