Michael Hiltzik: Ransomware attack cost this entrepreneur a year of his life and almost destroyed his business | Nation

When ransomware bandits hit his business last June, encrypting all of his operational data and software and sending him a skull and crossbones image and email address to find out how much he would have to pay to restore everything, Fran Finnegan thought that it would take him weeks to restore everything to its pre-hack state.

It took him over a year.

Finnegan’s service, SEC Info, went back online on July 18. The year that followed was marked by brutal 12-hour days, seven days a week, and the spending of tens of thousands of dollars (and the loss of many more in subscriber payments while the site was live). breakdown).

He had to buy two new high-capacity computers or servers and wait for his supplier, Dell, to get over a post-pandemic computer chip shortage.

Meanwhile, subscribers, who were paying up to $180 a year for his service, were falling.

Finnegan estimates that up to half of his subscribers may have canceled their accounts, earning him a six-figure loss in revenue during the year.

He expects most to return once they learn SEC Info is up and running, but hackers have destroyed his customer database, including email contacts and billing information, so he has to wait until they proactively restore their accounts.

To get SEC information back online, Finnegan had to painstakingly rebuild the software he had written over the previous 25 years and reinstall a database of some 15.4 million Securities and Exchange Commission filings dating back to from 1993.

It was a truly heroic effort, and it was all in his hands. Finnegan worked under intense, self-imposed pressure to get his serve up and running as it was before the attack.

“The amount of detail I had to deal with was just excruciating and very frustrating – I thought, ‘I’ve done all of this once, and now I have to do it all over again. Because I lost everything.”

About halfway through, a few days before Christmas, he suffered a stroke – a mild accident manifesting in a series of falls, but no cognitive difficulties – which he attributes to the stress he was under.

As I said last year at the start of Finnegan’s ordeal, SEC Info provides subscribers with access to all financial reporting documents filed with the Securities and Exchange Commission – annual and quarterly reports, proxy, major shareholder disclosures and more, a vast repository of publicly available financial information presented in a searchable and uniquely organized format.

The website looks like the product of a team of data processing experts, but it is an individual store. “It’s my thing,” Finnegan, 71, told me. “I’m the only guy. Nothing happens unless I do it myself.”

A computer science graduate with an MBA from the University of Chicago, along with a dozen years of Wall Street experience as an investment banker and a few years as a freelance software designer for large companies, Finnegan launched SEC Info in 1997.

The SEC had put its EDGAR database online for free after recognizing that doing so would allow entrepreneurs to offer a host of innovative formats and related data services.

Finnegan was one of the pioneers in the field, eventually becoming one of the largest third-party SEC filing providers.

Finnegan’s experience provides a window into the under-reported consequences of ransomware – the impact on small businesses like his, which don’t have teams of data professionals to mobilize in response or a footprint significant enough to obtain assistance from the federal government or international law enforcement agencies.

Ransomware attacks, in which perpetrators steal or encrypt online access or victim data and demand payment to regain access, have proliferated in recent years for several reasons.

One is the explosive growth of opportunity: more systems and devices are tied to cyberspace than ever before, and a relatively small percentage are protected by effective cybersecurity precautions.

Data snatchers can deploy an ever-growing arsenal of off-the-shelf tools that “make launching ransomware attacks almost as easy as using an online auction site,” according to Palo Alto Networks, which markets cybersecurity systems. Some ransomware entrepreneurs “offer ‘starter kits’ and ‘help desks’ to potential cybercriminals, … accelerating the rate at which attacks can be introduced and spread,” Palo Alto reports.

The advent of cryptocurrencies may also have facilitated these attacks; the authors generally require payment in bitcoin or other virtual currencies, obviously assuming that such transactions are more difficult for authorities to track than those using dollars. (That may be a false assumption, as it turns out.)

It’s hard to put your finger on the scale of the ransomware threat, in part because most estimates come from private security firms, which may have an incentive to maximize the problem and, in any event, offer various numbers.

What seems clear is that the problem is growing, enough that it has captured the attention of the White House and international agencies.

Attacks on large corporations attract the most attention. In 2021, according to a list of 87 attacks compiled by Heimdal Security, victims included business consulting firm Accenture, audio company Bose, Brazil’s National Treasury, Cox Media, Howard University, Kia Motors, National Rifle Assn . and the University of Miami.

Healthcare establishments have long been prime targets. Last year, Scripps Health, the nonprofit operator of five hospitals and 19 outpatient clinics in California, had to transfer stroke and heart attack patients from four hospitals and close trauma treatment centers together.

Staff have been excluded from some data systems. The attack cost Scripps at least $113 million, according to a preliminary estimate.

Finnegan’s offense was too small to appear on these lists. But for him, it was a life-changing event.

The disaster began with a massive data breach at Yahoo that happened in 2013 but that Yahoo didn’t disclose until 2016. Hackers stole email passwords, phone numbers, birthdates and security questions and answers for 3 billion Yahoo users, including Finnegan.

Finnegan followed Yahoo’s advice to change his Yahoo account passwords but forgot that he had used the same password to access his administrative privileges at SEC Info.

That may not have been a problem, except that before leaving for a week’s vacation last summer, he activated a digital access port so he could monitor his system from afar.

His old password was a ticking time bomb in the hands of anyone with access to stolen Yahoo data. Since June 26, hackers have sent 2.5 million pings to his system with stolen Yahoo passwords, finally finding the right one.

“They were lucky,” he told me. “If they had tried a week earlier or a week later, they wouldn’t have been able to get in.”

Finnegan didn’t know his system had been hacked until a subscriber asked him by text message why his website was down. When he logged in remotely, he could only watch helplessly as attackers encrypt all his files.

Finnegan believed he had been properly backed up, as his data was stored on two servers, high-capacity computers housed in a data center in San Francisco. It was protection against either server collapsing, but not against a hacker actually using his password.

He briefly thought about responding to the hackers, but a quick online search revealed reports from other victims that they had paid the ransom without receiving a decryption code.

Even though the hackers decrypted Finnegan’s data – the more than 15 million documents filed with the SEC – they had trashed its operating software, and it could not be recovered by decryption.

So Finnegan set out to rebuild his system. Fortunately, about 90% of the filed documents had been stored on external drives at his Bay Area home, disconnected from the Internet and therefore beyond the reach of hackers.

But these were older repositories from before 2020, the latest data on stored disks. The remaining 10% had been destroyed, representing more than 1.5 million documents.

Downloading the most recent SEC filings took two months because the agency limits the rate of downloading from its database so that access cannot be monopolized by heavy users.

The most difficult task was to reconstruct all the programs Finnegan had written over the years to analyze SEC data and make it usable for his subscribers in myriad ways.

“Some things go back 25 years, and you forget stuff,” he told me.

At first, he says, “I thought I was just going to grab the data, run it through the analytics engine again, and reconfigure everything and I’d be done.” He ran into a phenomenon memorably identified by former IBM software executive Fred Brooks in his classic book, “The Mythical Man-Month”: Software projects still take longer than expected and always miss their deadlines.

So the weeks turned into months. Finnegan would post a recovery date online and beat it. “It got to the point where I stopped making predictions, because when it didn’t happen, I felt like an idiot.”

By June, however, “I could see the end of the tunnel,” he says, and was planning a comeback for his birthday, July 1. It still wasn’t ready, so he posted a restore date of July 15 – and finally goes back to July 18.

This time around, Finnegan has sealed the security loopholes that allow his attackers to flout his business. He receives near real-time data backups and keeps them offline and disconnected from the Internet, which made the process of remotely accessing his system much more complex.

Finnegan still has a few things to do to get SEC Info working exactly as it used to, but these involve features that only a tiny minority of subscribers have used. He is convinced that he will no longer have to face this tribulation.

“I’m pretty sure I’m not going to get hit again,” he told me. I heard a moment of doubt in his voice, but then his confidence returned. “No, no one will return,” he said.