NASDAQ’s ageing software and out of date security patches played a key part in the stock exchange being hacked last year, according to the reported preliminary results of an FBI investigation.
Forensic investigators found some PCs and servers with out-of-date software and uninstalled security patches, Reuters reported, including Microsoft Windows Server 2003. The stock exchange had also incorrectly configured some of its firewalls.
NASDAQ, which prides itself on running some of the fastest client-facing systems in the financial world, does have a generally sound PC and network architecture, the FBI reportedly found.
But sources close to the investigation told Reuters that NASDAQ had been an “easy target” because of the specific security problems found. Investigators had apparently expressed surprise that the stock exchange had not been more vigilant.
"You would have thought they [NASDAQ] would be like a cyber Fort Knox, but that wasn't the case at all," said one source, referencing the importance of the stock exchange to the global financial system.
The ongoing probe is examining NASDAQ’s Directors Desk software, which was breached. The software is used by company directors to share data for project collaboration.
NASDAQ’s vice president of IT services, Carl-Magnus Hallberg, said the hack had been “sophisticated” and used malware that was not well known.
The stock exchange did not provide further comment on the report, and the FBI had not responded to inquiries at the time of writing.
NASDAQ has invested heavily in IT security – including in advanced monitoring, encryption and system segmentation – and is understood to argue that a substantial increase in the number of Directors Desk customers demonstrates the market’s confidence in the product.
Executives at the stock exchange are understood to dispute some of the Reuters report. NASDAQ and the media company’s parent, Thomson Reuters, are data competitors.
The FBI investigation continues.