Reuters is reporting that the breach of Nasdaq's Web-based service, called Directors Desk, discovered in October of 2010 and not disclosed until February of this year, was much worse than first thought.
Directors Desk, says an article from the Wall Street Journal from February, "...lets leaders of companies, including board members, securely share confidential documents." At the time, sources close to Nasdaq said that "... as far as they can tell no information from Directors Desk, which is operated separately from Nasdaq's trading platform, was taken or compromised."
However, the Reuters story now says that its sources report that the hackers were able to install malware that allowed them to spy on what was happening at the Directors Desk. What was taken - and what was done with the information - is unknown, as is how long the malware was resident before it was discovered last October.
Both the US National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) are investigating the incident.
Nasdaq says that it spends "nearly a billion dollars a year on information security" but even this amount apparently was not enough.
Nasdaq is not commenting on the story by Reuters other than to confirm that the investigation is continuing. I suspect a number of corporate directors are calling Nasdaq today asking them for a fuller explanation of what happened.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.