Column: He spent 24 years building his business. A ransomware attack blew it to smithereens

Fran Finnegan
Happier days: Fran Finnegan, with the canary-yellow Corvette his wife gave him for his 70th birthday, just before his SEC Info website was trashed by ransomware hackers. (Fran Finnegan)

Fran Finnegan was on vacation in New York just before the Fourth of July weekend when he received a disturbing text message from one of his customers: How come his website was down?

Finnegan quickly searched out a computer to remotely examine his site, which provides access to millions of documents filed with the Securities and Exchange Commission.

There he discovered a disaster unfolding in front of his eyes in real time. Hackers had breached his site's security and taken over. He watched helplessly as they encrypted all his files, placing them beyond reach.

Ransomware is everywhere. There isn‘t a single industry that isn’t dealing with this problem right now. It's not a fair fight.

Cybersecurity expert Brian Krebs

"As soon as I could, I shut them off," Finnegan, 70, told me from his San Francisco Bay Area home. "But the damage was done."

The attack had started the previous weekend, so for four days the hackers had free access, ransacking the raw material of Finnegan's business like burglars raiding a museum without fear of capture. “I lost everything that essentially makes up my whole operation.”

When the hackers were done, they left Finnegan a message with a skull and crossbones on a sinister black background, reading "Your Files Are Encrypted" and providing an email address to which he could write to learn the cost of a decryption key to restore his files.

It was yet another extortionate ransomware attack, in which hackers effectively kidnap a business' digital lifeblood and offer to restore it — for a price.

These attacks are becoming almost daily occurrences, though they're typically aimed at big businesses with the wherewithal to pay a multimillion-dollar ransom (generally demanded in bitcoin or another digital currency).

The targets often have the sort of commercial, political or economic footprint — think hospital systems, universities and government agencies — that makes prompt resolutions imperative.

Notable ransomware attacks this year have struck Colonial Pipeline, which had to curtail gasoline deliveries to customers in the Northeast during the episode, and JBS Foods, an international meat processor. Both companies paid ransom — $4.4 million and $11 million, respectively, though much of the Colonial payoff was recovered by the FBI.

The most far-reaching attack appears to be the one that hit Kaseya, an information technology company whose clients serve thousands of small businesses, just before the July 4 holiday weekend.

But most attacks seem to fly under the radar. The consumer information service Comparitech documented 92 ransomware attacks in the U.S. healthcare field in 2020, affecting more than 600 clinics, hospitals and other organizations and more than 18 million patient records. Comparitech estimated the cost of those attacks, including ransoms paid, downtime and recovery, at some $21 billion.

“Ransomware is everywhere," cybersecurity expert Brian Krebs says. "There isn‘t a single industry that isn’t dealing with this problem right now.”

That doesn't mean they're having much success. "There are a lot of predators out there doing this, and the reason we have so many of them is because there’s a lot of easy prey," Krebs says. "We either have to do something about the volume of prey out there, or start taking some of the predators off the board. It’s not a fair fight at the moment for a lot of companies.”

A skull and crossbones with a message that says Your files are encrypted on a black background
Part of the message left by hackers on SEC Info, informing its owner that he would have to pay to retrieve his business' database. (Fran Finnegan)

The attack on Finnegan's site is a twist on what might be considered traditional ransomware, which generally involves the implanting of malicious software in a target system and using it to wreak havoc from within. Finnegan believes that his attackers gained access to his data through a different method, the use of a stolen password.

But it does fall into the broader category of digital extortion. Finnegan hasn't reached out to the hackers via the email address they left because he discovered via an internet search that it's associated with a group accused of taking victims' money but not delivering a decryption key. So he's left with restoring his data virtually by hand.

Finnegan's business, SEC Info, provides his subscribers with access to every financial disclosure document filed with the Securities and Exchange Commission — annual and quarterly reports, proxy statements, disclosures of top shareholders and much more, a vast storehouse of publicly available financial information.

These documents are all available for free directly from the SEC's website or those of issuing companies. But SEC Info is valuable as a one-stop shop for the data. The service was making more than 46 million documents available, their more than 1.6 billion pages easily searchable.

Subscribers could set up alerts for any time a company or major investor filed another document, and crunch the embedded information in myriad ways. For anyone doing research on public companies, SEC Info has been a time-saving tool for finding what they need, for a nominal quarterly fee. (I've been a subscriber for years.)

For now it's inoperable. Finnegan estimates it may take weeks for him to restore everything to its pre-hack condition.

Finnegan launched SEC Info in 1997. He had studied computer science at Notre Dame and earned an MBA at the University of Chicago, then spent about a dozen years on Wall Street as an investment banker at E.F. Hutton and First Boston.

"I got bored with that," Finnegan told me. "Software was much more fun, so I decided to get back into software." With a staff of 15 to 20 people, he hired himself out as a software designer for big corporations.

Then, in the mid-1990s, a sea change came upon the SEC. An insurgent campaigner for free access to government documents named Carl Malamud persuaded the agency to place its EDGAR database of corporate filings online for free, breaking the near-monopoly then held by the commercial LexisNexis service.

The agency, which initially resisted the initiative, soon learned that free access opened the database to a multitude of innovative formats developed by nonprofits and profit-making services, vastly expanding its usefulness to the public.

Finnegan was a pioneer in making the database more accessible. "I thought, I know software and I know Wall Street, and I can do a better job than the SEC," he says, "so I shifted to doing the EDGAR thing, and that's what I've been doing for the last 24 years." Eventually he became one of the largest third-party vendors of SEC filings.

The SEC Info website has a utilitarian appearance, yet is so complete and provides so many parsing and downloading options that it looks like the product of a sizable staff. But it's a one-man operation, thanks to Finnegan's skill at automating its functions. His system is set up to poll the SEC's database two or three times per second and to grab any new filing that shows up.

Finnegan's database of filings, 15 to 20 terabytes in size, was stored on a pair of large-scale servers at a data center in San Francisco. (One terabyte is the equivalent of 1,000 gigabytes; a digital version of a feature film can take up 1.5 to 3 gigabytes of space.) The two servers were redundant, so if one melted down the other would work as a backup.

"I thought I was covered," Finnegan says.

The problem was that his fail-safe arrangement had a couple of holes.

One was that the redundancy protected him against a hardware failure by either server, but not a security breach.

The second was more dangerous. When Finnegan originally set up SEC Info, he gave himself administrative privileges so he could manage the system, and protected his access with a password. The password he used, however, was the same as the password he was using for his Yahoo email account.

That password was probably stolen in a massive hack in 2013 that also compromised the names, email addresses, phone numbers, birth dates and security questions and answers of 3 billion Yahoo account holders.

Yahoo had advised its users to change the passwords on their Yahoo accounts, but Finnegan had long since forgotten that he had also used it as his administrative password.

"Had I remembered that I was using a password from 24 years ago," he says, "I certainly would have changed it."

He conjectures that it was sitting around as a ticking time bomb in the hands of anyone with access to the stolen Yahoo data. If you're a hacker, he says, "you take a long list of passwords and keep going back and testing every password, and maybe you'll get a hit."

Finnegan's firewall service, which would protect him from a random breach attempt, wouldn't protect against the use of a legitimate password. As he later discovered, beginning on June 26 his hackers pinged his system 2.5 million times before they finally hit on the right password. He says the firewall logs established that the hacking originated in Russia.

That doesn't mean the hackers were acting on behalf of the Russian state, but it does point to the conclusions by cybersecurity experts that Russian President Vladimir Putin has given a home to hackers such as REvil, which is thought to have launched the Kaseya and Colonial Pipeline attacks, as long as they don't aim at Russian targets.

President Biden issued an indirect warning to Putin about his tolerance of hackers during their meeting in Switzerland on June 16. "Responsible countries need to take action against criminals who conduct ransomware activities on their territory," Biden said after the meeting.

Once the hackers were inside SEC Info, they were able to encrypt everything on both servers — not only the database of documents but also Finnegan's email system and even his list of users and their contact information.

That means that once SEC Info is back in operation, he won't be able to proactively inform his customers what happened — he'll have to wait for them to get in touch with him. There are no indications that his more than 500,000 customers, who he says have included individuals and financial services firms such as Bank of America, Goldman Sachs and JPMorgan Chase & Co., have been placed at risk.

If there's a saving grace, the hackers weren't able to breach another set of servers on which he has stored his software for automating the search function and other features of his website.

But other than that, Finnegan says, "I have to re-create everything, and that takes time. I hope it's not more than a month, but there's no way of knowing right now." He says he doesn't think the restoration will cost him too much out of pocket, but the toll on his time and the aggravation cost, as well as the loss of users, are incalculable.

"There's a ton of stuff to do," he says. "You wouldn't believe how complicated it is." Until Thursday, he wasn't even able to post a message on his website informing visitors that the service is "down due to a ransomware attack" and "will be up as soon as possible." Up to then, the secinfo.com address just returned a blank screen.

Then there's the question of where to find a remedy to the ransomware frenzy. Finnegan and Krebs both observe that the crime has been facilitated by the rise of virtual currencies such as bitcoin, which are harder to trace than traditional forms of payment.

"The only way this is going to stop is if the U.S. outlaws bitcoin," Finnegan says. "That would take away the anonymous payment mechanism, and that takes away the incentive."

In the meantime, the threat is only going to get worse.

This story originally appeared in Los Angeles Times.