Effect of Hacking on Stock Price, Or Not?

I read Brian Krebs story Tech Firm Ubiquiti Suffers $46M Cyberheist just now. He writes:

Ubiquiti, a San Jose based maker of networking technology for service providers and enterprises, disclosed the attack in a quarterly financial report filed this week [6 August; RMB] with the U.S. Securities and Exchange Commission (SEC). The company said it discovered the fraud on June 5, 2015, and that the incident involved employee impersonation and fraudulent requests from an outside entity targeting the company’s finance department.

“This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties,” Ubiquiti wrote. “As soon as the Company became aware of this fraudulent activity it initiated contact with its Hong Kong subsidiary’s bank and promptly initiated legal proceedings in various foreign jurisdictions. As a result of these efforts, the Company has recovered $8.1 million of the amounts transferred.”

Brian credits Brian Honan at CSO Online, with noticing the disclosure yesterday.

This is a terrible crime that I would not wish upon anyone. My interest in this issue has nothing to do with Ubiquiti as a company, nor is it intended as a criticism of the company. The ultimate fault lies with the criminals who perpetrated this fraud. The purpose of this post is to capture some details for the benefit of analysis, history, and discussion.

The first question I had was: did this event have an effect on the Ubiquiti stock price? The FY fourth quarter results were released at 4:05 pm ET on Thursday 6 August 2015, after the market closed.

The "Fourth Quarter Financial Summary: listed this as the last bullet:

"GAAP net income and diluted EPS include a $39.1 million business e-mail compromise ("BEC") fraud loss as disclosed in the Form 8-K filed on August 6, 2015"

I assume the Form 8-K was published simultaneously, with earnings.

Next I found the following in this five day stock chart.


5 day UBNT Chart (3-7 August 2015)

You can see the gap down from Thursday's closing price, on the right side of the chart. Was that caused by the fraud charge?

I looked to see what the financial press had to say. I found this Motley Fool article titled Why Ubiquiti Networks, Inc. Briefly Fell 11% on Friday, posted at 12:39 PM (presumably ET). However, this article had nothing to say about the fraud.

Doing a little more digging, I saw Seeking Alpha caught the fraud immediately, posting Ubiquiti discloses $39.1M fraud loss; shares -2.9% post-earnings at 4:24 PM (presumably ET).  They noted that "accounting chief Rohit Chakravarthy has resigned." I learned that the company was already lacking a chief financial officer, so Mr. Chakravarthy was filling the role temporarily. Perhaps that contributed to the company falling victim to the ruse. Could Ubiquiti have been targeted for that reason?

I did some more digging, but it looks like the popular press didn't catch the issue until Brian Honan and Brian Krebs brought attention to the fraud angle of the earnings release, early today.

Next I listened to the archive of the earnings call. The call was a question-and-answer session, rather than a statement by management followed by Q and A. I listened to analysts ask about head count, South American sales, trademark names, shipping new products, and voice and video. Not until the 17 1/2 minute mark did an analyst ask about the fraud.

CEO Robert J. Pera said he was surprised no one had asked until that point in the call. He said he was embarrassed by the incident and it reflected "incredibly poor judgement and incompetence" by a few people in the accounting department.

Finally, returning to the stock chart, you see a gap down, but recovery later in the session. The market seems to view this fraud as a one-time event that will not seriously affect future performance. That is my interpretation, anyway. I wish Ubiquiti well, and I hope others can learn from their misfortune.

Update: I forgot to add this before hitting "post":

Ubiquiti had FY fourth quarter revenues of $145.3 million. The fraud is a serious portion of that number. If Ubiquiti had earned ten times that in revenue, or more, would the fraud have required disclosure?

The disclosure noted:

"As a result of this investigation, the Company, its Audit Committee and advisors have concluded that the Company’s internal control over financial reporting is ineffective due to one or more material weaknesses."

That sounds like code for a Sarbanes-Oxley issue, so I believe they would have reported anyway, regardless of revenue-to-fraud proportions.

Comments

Chris said…
Many excellent points. I am left with a two questions, which hopefully we'll learn the answers to.

First, would these material weaknesses in controls have been flagged absent this incident? Perhaps UBNT's external auditors can answer that. If the controls were the same last year (say), is the only thing that shows they are materially weak the fact that they allowed this fraud? That strikes me kinda like a Civil Engineer telling me that soap is not a good material to build dams with, but only after my soap dam dissolves after contact with water.

Second, if we take the CEO at his word that some folks were "incompetent", does this mean that the controls themselves were OK, but that the incompetents ignored certain control activities? For example, perhaps large-value wire transfers needed multiple approvals, but these were simply rubber-stamped by "incompetent" employees, allowing the bad guys to cash in. The fact that the company is putting new/changed processes in place suggests to me that the controls themselves were not adequate, and that this is not simply a matter of individual failings. If this is indeed so, then coupled with a pessimistic answer to my first question (the weaknesses were only recognized when "the dam dissolved"), one might reasonably conclude that the audit firm (and the audit committeee of the board) should be answering some questions, starting with "Why did it take a 40 million dollar fraud for you to notice our controls were inadequate?", followed quickly by "What else might be a matter of highest executive and investor concern that you are not noticing?".
I had two cases come across my desk similar to this one recently. In both cases the hackers abused the online banking of the company rather than their ERP system where business controls such as four eyes principle are implemented. External auditors of course investigate robustness of controls, but the line of reasoning goes like this:


Q: Do you have business controls implemented in your finance system?

A: Yes, here are four-eyes. [Auditor tests]



Q: Any other ways to move cash?

A: Yes, through online banking, only the senior figures have the passwords [auditor checks password list]




Q: What if they do something fraudulent or are scammed themselves?

A: Well, they are Senior Figures [tm] and besides we all had our IT annual training and next day when we review accounts, we would see a discrepancy [Auditor checks trainig records and the balancing procedures]





In other words, I squarely blame the bank for not having their fraud monitoring systems stop it.
jbmartin6 said…
So to summarize, other companies will not change anything in response since apparently it is not a material issue that has any impact on the stock price.
Anonymous said…
This is actually their second lesson regarding security -

A while ago, someone wrote a worm which propagated using a flaw in the webinterface of some UBNT products.

This was kind of odd at the time, as their products then were used in small to medium installations (e.g. marinas) and there was no money to be gained in doing this.

It turned out that the hackers had tried to contact UBNT several times, but no one watched the mailbox set up for such issues.

They're really learning it the hard way.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics