Exploiting Public Information for Stock Manipulation

Last Wednesday, 9/10, United Airlines saw its stock drop by over 75% in fifteen minutes, over a mistaken news story that came across the Bloomberg business wire announcing that it had filed for bankruptcy.  How this happened has interesting implications for security.

Back on December 10th, 2002, United Airlines really did file for bankruptcy.  It was all over the news, their stock plummeted, they went into reorganization (Chapter 11), and eventually emerged as a going concern.  it wasn’t a good thing for most involved, but it was over and done with.

Many online newspapers have archives of old stories that can be browsed.  The Florida Sun-Sentinel is no exception; it’s a pretty typical newspaper.  Online newspapers also often have dynamic lists of links — “Most Popular,” “Most Active,” etc., based on what articles have been read lately.  For some reason, which we may never know, the 12/10/2002 article somehow made it onto one of the lists.  Maybe it was a slow day and a couple people happened to click on it in rapid succession and it bubbled up to the list, and once it was there people started clicking on it (as the story would be pretty big news if it weren’t six years old.)  Whatever the cause, a link to this old story found its way onto the homepage — Tribune Co. says it was “due to traffic volume,” which I think lends credence to the “a few people clicked on a slow news day” theory, though it could have been deliberate, which I’ll get to later.

News aggregators, the most popular being Google News, crawl reputable news sources like online newspapers for interesting stories, then bump them up or down on their pages based on how popular they turn out to be.  Since this was on the Sun-Sentinel‘s homepage, and probably their RSS feeds as well, the Googlebot pulled it up.  However, the Sun-Sentinel‘s page did not list a dateline for the story — so, lacking any other information, the Googlebot concluded it was new; this is not unreasonable for something suddenly showing up on the front page of a newspaper.  Google News published the article in their aggregator with a dateline of 9/10/08.

People started reading the article, and that pushed it up in the rankings.  Soon, UAL’s bankruptcy was a top story on Google News, which is read by millions.  Some of those readers included stock analysts, one of whom proceeded to put the “news” on the Bloomberg wire, the primary source of breaking news used on Wall Street.  On one hand, it seems foolish of him, and this was probably a career-limiting move.  But on the other hand, Google linked him to the web site of a legitimate newspaper owned by Tribune Co. — he didn’t exactly read this on “hot-stock-picker.ru” or something; why would he doubt its veracity?  It was clearly a professionally-written news article in a major newspaper (or at least a minor paper from a major publisher.)

Wall Street today bears little resemblance to its history before the late 1980s, when “program trades” started.  Program trades are basically what they sound like — computer programs set to execute trades when certain conditions are met.  There were apparently a decent number of program trades set to dump UAL stock upon getting bad news about it over the Bloomberg wire, and they did just that.  UAL, as a mid-cap company with very high volatility, was quite heavily held by hedge funds, who are very heavy users of program trades.  Large, institutional investors — including hedge funds, perhaps especially hedge funds — limit their risk by having standing “stop-loss orders” on large positions.  These are orders to sell the entire position should its share price fall below a certain floor.  The hedge fund selling based on the news was enough to send the stock price down across a few stop-loss orders — and their selling sent it through more, and so on.  The stock dropped 79% in 15 minutes, eradicating literally billions of dollars in shareholder value.  At that point, the exchange stepped in and froze the stock, halting any further trading (as well as the runaway program trades.)

Once people figured out what was going on, the stock was bid back up to $10 again (about 85% of its original value.)  A lot of people ended up upset with Bloomberg, and Google, and the Sun-Sentinel, but there’s no one to sue — the Sun-Sentinel didn’t do anything wrong (they didn’t republish the story or try to call attention to it, it just sat in its archives like it had for the last six years), and the newswires and aggregators aren’t liable for checking the accuracy of things they link to.

What I found interesting, though, is the implications this has for deliberate manipulation.  This appears to have been an accident, but what if someone were to set out to do this on purpose?  All they would need is to find a newspaper or other reputable news source that doesn’t have reliable datelines on all their stories, then pick a stock that has recovered from old bad news or plummeted after old good news — just something where the news, if new, would affect the price substantially.  Rather than waiting for the story to coincidentally rise to the top, a botnet or set of proxies could bid the story up to “most popular” quite quickly.  The attacker would just have to keep it there long enough to be picked up by aggregators.

Essentially, this person would have tomorrow’s news today, and could trade on it.  (Well, really it’s yesterday’s news, but they’d know it before everyone else “knew” it.)  If you were doing this intentially to UAL, you’d first buy put options and short-sell the stock, in anticipation of the sudden drop.  Once it dropped 50%, you’d unwind those positions and start buying — after all, once the error is discovered, the stock will mostly revert to its original value.  It’s not even clear that this sort of manipulation would be illegal — the attacker isn’t a fiduciary, and can’t be charged with insider trading or most securities violations.  Federal law is fuzzy enough that prosecutors can sometimes find a way to charge just about any person with a crime if they really want to, but this would be quite difficult to prove.  It’s not like lots of people don’t hold put options and short sales on volatile, risky companies like UAL, and reversing the position after a big drop would hardly make you alone among traders.  Making 5-10 times their investment on something like this would not be difficult if it worked.

The interesting part about this is that it doesn’t involve an “attack” in the traditional sense.  There’s no cross-site scripting or SQL injection, no stealing of confidential data.  Nothing is involved but clicking on an old news story a few dozen times, and being positioned in the market such that the resulting chaos works to your advantage.  It’s even possible that this did happen with UAL, and the companies involved don’t want to talk about it, for fear of giving people ideas.

attacks, legal

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.