Nasdaq OMX Group acknowledged Saturday that a Web-based service that promised more than 10,000 directors of corporate boards that they wouldn't have to worry about their communications "being posted on the Web or landing in someone else's inbox" had "potentially" been hacked.
The exchange operator acknowledged in a statement on its corporate Web site that it had detected "suspicious files" on its servers in the United States. These were "unrelated to our trading systems," it said, but that a "web facing application" known as Directors Desk was "potentially affected."
Directors Desk is a service hosted by Nasdaq on its own servers that promises board members they will have complete peace of mind when exchanging documents and other communications, in advance of board and shareholder meetings. The service also automatically sends out emails, wireless alerts and faxes, that it says are protected from misappropriation.
Nasdaq OMX specifically promotes the security of the online service to boards, regarding the safety of their communcations about company strategies, executive compensation, merger or acquisition plans or any conceivable board matter.
Here's what the company says about the multiple levels of security for the Directors Desk:
Offering SAS70 hosting, Ernst & Young annual security audits and quarterly auditing by a renowned security firm, Directors Desk is a security leader in the online Board management industry. You’ll never have to worry that your sensitive material is being posted on the web or landing in someone else’s inbox. Directors Desk also offers industry leading dual-stage authentication systems, complete data backups and disaster recovery, fully automated document retention functionality, and powerful network controls including intrusion detection systems and 24/7/365 network operations monitoring.
SAS 70 refers to the Statement on Auditing Standards No. 70 for Service Organizations, which is an auditing standard developed by the American Institute of Certified Public Accountants that focuses on controls companies have in place over their information technology. Companies that adhere to SAS 70 agree to in-depth audits on those controls.
Nasdaq OMX, in its statement, said that it did not believe that hackers had been able to access any information belonging to any of the 10,000 directors that use it. These directors are at 400 organizations worldwide, including members of the Fortune 500.
Here's the core of what Nasdaq said in its statement:
Through our normal security monitoring systems we detected suspicious files on the U.S. servers unrelated to our trading systems and determined that our web facing application Directors Desk was potentially affected. We immediately conducted an investigation, which included outside forensic firms and U.S. federal law enforcement. The files were immediately removed and at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers. Our trading platform architecture operates independently from our web-facing services like Directors Desk and at no point was any of NASDAQ OMX’s operated or serviced trading platforms compromised.
The lack of penetration of Nasdaq's trading systems was first reported Saturday by the Wall Street Journal.
Nasdaq OMX said it had planned to divulge the investigation of the hacking on February 14, but the Journal story precipitated the release of Saturday's statement.
The cybercrimes unit of the Federal Bureau of Investigation and the U.S. Justice Department are investigating the case.
The penetration is seen as an indication of threats to the nation's economic infrastructure and ability to reliably operate capital markets. As the New York Times reported Sunday:
Nasdaq is one of the country’s largest stock exchanges, and many of the nation’s most important companies use it to list their shares for trading. If there were evidence that hackers could breach the inner trading systems, it could cause jitters among the companies listed on the exchange and the traders and investors who buy and sell millions of shares each day.
If the hackers were able to penetrate the Directors Desk service, here are some functions and forms of exchanging top-level information about public companies that they could have gained control of or selectively compromised:
* A particular director's personal home page. Each director has a robust homepage – accessible from his or her favorites menu or a computer desktop icon – that includes a complete at-a-glance overview of board-related matters. On one screen, directors can see:
Late-breaking announcements, new content for review, items requiring votes or discussion, scheduled board, committee and other meetings.
* A board's agenda. The service has an interactive tool called SmartAgenda that allows board members to create and maintain an online agenda with links to all relevant files.
* Meeting files. The service's File List displays all files associated with the meeting.
* Other company documents. Four document centers house important information, Nasdaq says:
--A Board Documents Center holds meeting minutes, resolutions, archived books, and working documents.
--A Corporate Documents Center includes a library of general purpose documents, including bylaws, policies, procedures, handbooks and department reports.
--A Committee Documents Center holds specific document libraries for each committee's meeting minutes, resolutions, archived books and working documents.
--A Hot Topics Center is a repository of important articles posted by management for the benefit of board and committee members.