Indictments in insider trading case show how hackers expand their reach while security lags

NEW YORK – Companies can spend millions of dollars on state-of-the-art cybersecurity to protect their most precious information, but that could all be for naught if outside companies with access to it don’t adhere to the same high security standards.

Meanwhile, hackers continue to innovate and expand their reach to new targets that may have previously thought they were safe.

Industry observers say Tuesday’s announcement of charges against nine people in the U.S. and Ukraine for allegedly making $100 million by hacking into business newswire services and using that information to make illegal stock trades highlights those security woes.

Scott Moritz, the head of the fraud risk management practice at Protiviti, a business consulting and internal audit firm, called the indictments a “watershed moment” for the convergence of financial crime and cybercrime, noting that hackers have typically been associated with the theft of credit card numbers and personal identification information such as Social Security numbers.

“This is the natural progression,” Moritz says. “Any intellectual property is fair game to these guys, and this is just another example of that.”

Related: Feds accuse group of profiting on Wall Street by hacking merger information from wire services

Meanwhile, getting a handle on who has access to sensitive information and where it’s exactly stored has become increasing complicated for all kinds of companies.

“The lesson in this is your information is only as secure as the people you share it with,” says Matthew L. Schwartz, a partner in the law firm Boies, Schiller & Flexner LLP and a former assistant U.S. attorney for the Southern District of New York.

“If you share that information with a news service, a PR firm or even a law firm, then you need to make sure that it’s secure.”

Several major recent hackings have stemmed from the sharing of sensitive information with outside companies.

It’s widely suspected that the hackers who breached Target Corp.’s computer systems during the 2013 holiday season and stole millions of customer credit and debit cards used the retailer’s connection with a small Pittsburgh-area heating and refrigeration business as the back door to get in.

Related: Target CEO Gregg Steinhafel resigns as fallout from massive data breach continues

And currently, the online photo websites for Rite Aid Corp., CVS Health Corp., Costco and Wal-Mart Canada all remain shut down weeks after the hacking of Canada-based PNI Digital Media, which administers them. The companies have yet to say if customer credit card or other information was stolen in the breach.

Schwartz says third-party companies have become known as the weak links in cybersecurity and have drawn the attention of regulators, who he expects will start looking at them even more closely as the result of Tuesday’s news.

He also notes that the business newswire services, which aren’t directly regulated by the government, are particularly attractive targets for hackers, because they hold market-moving information for not just one, but countless companies.

For its part, PR Newswire said it’s co-operating with investigators and added that, “As cybersecurity threats continue to evolve, so will our information security practices.”