When ransomware robbers hit his business last June, encrypting all his data and operational software and sending him a skull and crossbones image and an email address to send him. knowing the price he would have to pay to restore it all, Fran Finnegan thought it would take. him weekly to restore everything to pre-hack condition.
He took over a year.
Finnegan’s service, SEC Info, was back up and running on July 18. The alternate year is a 12-hour year, seven days a week, and spends tens of thousands of dollars (and takes a lot more in accounts). paying subscribers while the site is down).
The amount of detail that I have to deal with is just excruciating…. Because I’ve lost it all.
– Fran Finnegan, SEC Information
He had to buy two new high-powered computers or servers and wait for his supplier, Dell, to master the post-pandemic computer chip shortage.
Meanwhile, subscribers, who pay up to $180 a year for his service, are dwindling.
Get the latest from Michael Hiltzik
Commentary on economics and more from a Pulitzer Prize winner.
You may occasionally receive promotional content from the Los Angeles Times.
Finnegan estimates that about half of his subscribers may have canceled their accounts, causing him to lose six-figure earnings for the year.
He hoped most would go back when they knew SEC Info was up and running, but hackers destroyed his customer database, including email contacts and payment information, because so he has to wait for them to actively restore his account.
Bringing SEC Information back online required Finnegan to carefully rebuild the software he had written over the previous 25 years and reinstall the SEC’s database of approximately 15.4 million records. and Corporate Transactions dating back to 1993.
It was a truly heroic endeavor, and it was all in his hands. Finnegan had to work under heavy, self-imposed pressure to get his services up and running as before the attack.
“The amount of detail I had to deal with was appalling and very frustrating – I thought, ‘I’ve done all of this once before, and now I have to do it all again.’ Because I lost everything”.
Midway through, a few days before Christmas, he suffered a stroke – a mild stroke characterized by a series of falls, but not any cognitive difficulties – which he claimed is due to the stress he is experiencing.
As I mentioned last year at the start of Finnegan’s challenge, SEC Info provides subscribers with access to every financial disclosure document filed with the Securities and Exchange Commission – the annual report and quarterly, proxy reports, top shareholder disclosures and more, a huge archive of publicly available financial information, presented in a searchable and organized format good.
The site looks like the product of a team of crawlers, but it’s a one-man shop. “This is mine,” Finnegan, 71, tells me. “I am the only guy. Nothing happens unless I do it myself.”
With a computer science degree and MBA from the University of Chicago, as well as about a decade of experience on Wall Street as an investment banker and several years as an independent software designer for large corporations, Finnegan founded SEC Info in 1997.
The SEC has placed its EDGAR database online for free after realizing that doing so would allow entrepreneurs to offer a range of innovative formats and related data services.
Finnegan was one of the pioneers in the field, eventually becoming one of the largest third-party providers of SEC filings.
Finnegan’s experience opens an opportunity for the consequences of ransomware to go unreported – the impact on small businesses like his, which don’t have the team of data experts to mobilize to respond, or a footprint large enough to receive assistance from federal or international law enforcement agencies.
Ransomware attacks, in which the perpetrator steals or encrypts a victim’s data or online access and demands payment to regain access, have increased in recent years for a number of reasons. do.
One is an explosive growth opportunity: More systems and devices are linked to cyberspace than ever before, and a relatively small percentage are protected by effective cybersecurity precautions.
According to Palo Alto Networks, which markets cybersecurity systems, data kidnappers can deploy an ever-expanding arsenal to “perform ransomware attacks as nearly as simple as using a online auction site”. Some ransomware entrepreneurs “provide ‘starter kits’ and ‘support services’ to cybercriminals, … accelerating the speed at which attacks can be introduced and spread,” Palo Alto reported.
The advent of cryptocurrencies may also have facilitated these attacks; The perpetrators often ask for payments in bitcoin or other virtual currencies, ostensibly on the assumption that such transactions are harder to track by authorities than those using dollars. (Turns out that might be a false assumption.)
It’s hard to put a finger on the scale of the ransomware threat, in part because most estimates come from private security firms, which may have incentives to maximize the problem and in any Each case gives different figures.
What seems clear is that the problem is growing, enough for it to attract the attention of the White House and international agencies.
Attacks on large enterprises attract the most attention. In 2021, according to a list of 87 attacks compiled by Heimdal Security, victims include business consulting firm Accenture, audio company Bose, Brazilian National Treasury, Cox Media, Howard University, Kia Motors, National Rifle Assn. and the University of Miami.
Healthcare facilities have long been a prime target. Last year, Scripps Health, the nonprofit operator of five hospitals and 19 outpatient clinics in California, had to move stroke and heart attack patients from four hospitals and shut down trauma centers across the country. 2 hospitals.
Staff has been locked out of several data systems. According to preliminary estimates, the attack cost Scripps at least $113 million.
Finnegan’s attack is too small to appear on these lists. But for him, it was a life-changing event.
The disaster started with a massive data breach at Yahoo that happened in 2013, but Yahoo didn’t disclose it until 2016. The hackers stole email passwords, phone numbers, dates of birth, questions, and answers. Secure answers to 3 billion Yahoo users, including Finnegan.
Finnegan followed Yahoo’s advice to change the password on his Yahoo account but forgot that he used the same password to access his administrative privileges at SEC Info.
That might not be a problem, except that before he went on vacation last summer, he activated a digital portal so he could monitor his system remotely.
His old password was an active ticking time bomb in the hands of anyone with access to the stolen Yahoo data. Starting on June 26 of last year, the hacker pinged his system 2.5 million times with a stolen Yahoo password, eventually hitting the right password.
“They were lucky,” he told me. “If they had tried a week before or a week after, they wouldn’t have been able to get in.”
Finnegan had no idea his system had been hacked until a subscriber asked him by text message why his website was down. When he logged in remotely, he could only helplessly watch as the attackers encrypt all his files.
Finnegan thinks he’s fully backed up, as his data is stored on two servers, high-capacity computers located in a data center in San Francisco. It’s a defense against the meltdown of either server but not against a hacker actually using his password.
He briefly thought about responding to the hacker, but a quick online search yielded reports from other victims reporting that they had paid the ransom without receiving the decryption code.
Even when the hackers decrypted Finnegan’s data — more than 15 million SEC filings — they trashed his operating software and couldn’t be recovered via decryption.
So Finnegan started rebuilding his system. Fortunately, about 90% of the records were stored on external disks at his Bay Area home, unplugged from the internet and thus out of reach of hackers.
But those are older records from before 2020, the latest data on the disks is stored. The remaining 10% was destroyed – more than 1.5 million documents.
Downloading more recent filings from the SEC took two months because the agency limits download speeds from its database so large users can’t monopolize access.
The more difficult task is to rebuild all the programs Finnegan has written over the years to analyze SEC data and make it usable to his subscribers in multiple ways.
“Some of these date back 25 years, and you forget a lot,” he told me.
At first, he said, “I thought I would just take the data, run it through the parser and reconfigure everything, and I’m done.” He came across a phenomenon memorably identified by former IBM software executive Fred Brooks in his classic book, “The Mythical Man-Month”: Software Projects always take longer than anyone anticipated and always miss their deadlines.
So weeks stretch to months. Finnegan will post the recovery date online and pass it. “It got to the point where I stopped making predictions, because when it didn’t happen, I felt like an idiot.”
By June, though, “I can see the end of the tunnel,” he said, slated to return for his birthday, July 1. It’s still not ready, so he posted online the restoration date was July 15th – and ended up going back July 18th.
This time, Finnegan sealed the security holes that allowed attackers to compromise his business. He gets near-real-time backups of his data and keeps them offline and unplugged from the internet, making it more complicated to access his system remotely. so many.
Finnegan still has some tasks to complete to make SEC Info work exactly as it once did, but those tasks involve functions that only a handful of subscribers have ever used. He is confident that he will not have to face this tribulation again.
“I’m pretty sure I won’t get hit again,” he told me. I heard a hint of doubt in his voice, but then his confidence returned. “No, no one will be able to get back in,” he said.
https://www.latimes.com/business/story/2022-07-27/ransomware-attack-entrepreneur-victim-recovery Hiltzik: The true toll of ransomware