Intel reveals ‘hacked’ earnings release was on guessable URL

 Intel reveals ‘hacked’ earnings release was on guessable URL

Intel has shed new light on its claim that the leak of sensitive financial information from its website last week was the result of a “hack”, admitting that the problem originated from a weakness in its own publication procedures.

The glitch has also highlighted a potential flaw for other companies that use only slight — and easily guessable — variations on common URLs when making their public announcements.

The Intel leak came last Thursday, ahead of the planned after-market announcement of unexpectedly strong fourth-quarter results. The group’s shares rose steadily during the day, before rallying strongly in the final minutes of trading after Intel itself rushed the earnings news out ahead of schedule.

George Davis, chief financial officer, told the Financial Times that Intel acted after discovering that its website had been “hacked”, resulting in an infographic containing details of its earnings circulating outside the company. The company said at the time it was investigating the incident and did not say that its own procedures might have led to the leak.

The company has since disclosed that the information was “inadvertently made publicly accessible”, before being “accessed by third parties”.

The infographic is understood to have been “staged”, or prepared for publication by the company, which included adding the URL. It was not posted to Intel’s investor website, meaning that there were no links to the information, though it was visible to anyone guessing the URL. Intel uses very similar URLs each quarter for its financial disclosures, making it relatively simple for outsiders to guess.

Bruce Schneier, a US cyber security expert, called Intel’s original explanation for the leak “a lame excuse for a hack”, since the company itself had acted in a way that made it easy for someone to access the information.

He added, though, that courts had concluded before that guessing URLs for unpublished information was a contravention of the Computer Fraud and Abuse Act, which makes it illegal for anyone to “exceed authorisation” when accessing a computer system. Mr Schneier compared it to “rattling doorknobs” to see whether someone had left a door unlocked.

Intel said its “network was not compromised and we have adjusted our process to prevent this in the future”.

Leave a Reply

Your email address will not be published. Required fields are marked *