Heartbleed bug: insider trading may have taken place as shares slid ahead of breaking story

It could be that this information was also leaked to insiders who then sold their stocks in the major IT companies, waiting for a time to repurchase them at a tidy profit. One thing that would certainly be well known to traders is that a news item can push down a company’s stock price, only for it to recover after it blows over.

Day zero plus one
In the next phase, from 7 to 9 April, the companies’ stock prices went back up, almost to normal levels. This was the period where the key technical teams within the major IT companies were patching their systems and reporting back. The information coming back perhaps didn’t look too bad on their systems, which would have made them think they weren’t badly exposed.

The vulnerability was only seen as a technical flaw and nothing to alarm the business community. Few at the time were predicting the storm would hit and the impact that it would have. Traders may well have gone back into the market to repurchase stocks that they had sold in the days before.

Day zero plus two
The news of Heartbleed broke in a major way around the world on 9 April. Yahoo! and Amazon were heavily quoted in the news and were seen as being at the most risk.

Yahoo! stock lost 9.4 percent, while Amazon’s lost 8.3 percent. More curiously Microsoft went down nearly 5 percent, even though it was not exposed to the vulnerability.

Two things appear to have been going on — the first could have been profit taking. Traders could bail out of a stock, wait for the news item to play through, then go back in when the stock was at its lowest and make a nice profit. The second may have been a general knee-jerk feeling that the internet was cracking, and that the roof was about to collapse. It seemed possible that user trust in online commerce could be broken.

When the news broke, no one really knew what was going on, even at the highest level. Some governments were advising users to change all their passwords immediately, for example, while others were saying don’t change until things had been patched. For a company such as Amazon this lack of user trust, even for a short period, can have major effects on their infrastructure.

The after effects
After the main news events, stock prices mostly went back to where they started. None of the major companies caused the problem, so their reputations have not been tarnished. Yahoo! is now showing a 0.0 percent change overall, for example.

Some traders may have done well from the rises and falls during the crisis. The evidence suggests that there could have been some insider trading taking place in the days before the story became big news. In theory the companies should have announced the problem to the stock market as soon as they became aware, but this series of events probably illustrates the limits of the duty on companies to disclose: when matters of national security are at stake, the rules may not be so rigorously applied.

Bill Buchanan is Head, Center for Distributed Computing, Networks and Security at Edinburgh Napier Universit. This story is published courtesy of The Conversation (under Creative Commons-Attribution/No derivatives).