Heartbleed bug: insider trading may have taken place as shares slid ahead of breaking story

Saw it coming? Jon Åslund, CC BY

Here is a puzzle for you. Why did shares in Yahoo! slide by nearly 10% in the days before Heartbleed was announced and then recover after the main news items broke?

It has long been the case that security vulnerabilities can have a negative effect on the public’s perception of tech companies and the value of their stock. All chief executives need to understand this and take action to reduce the exposure and associated risks.

It happened with Sony three years ago, for example, with an outage on their PlayStation network. This lasted more than a week, resulting in a share price drop of 8%. It affected both consumers and developers, causing major embarrassment for the company.

I have analysed how the recent Heartbleed bug affected certain major tech companies. Yahoo! was widely reported to have been hit hard by Heartbleed and to have leaked user information. Amazon had more to lose than most major companies from a dip in consumer confidence related to electronic commerce. Also included in the analysis were HP, Dell, Google, AOL and Microsoft.

The chart below shows the stock price of these companies over the time of the Heartbleed vulnerability. You can see there are two dips, which can be explained by three main phases.

The ups and downs of big tech stock during Heartbleed crisis. Google Finance

Day zero minus two

The first phase related to the technical release of information about the vulnerabilty. The first major news release was on April 7 with the stark message: “We are doomed.”

We can see that the full dip happened that day, taking these companies’ stock prices down between 3% and 10%. But the slide had been happening for a few days, having started on the previous Thursday. This may have been due to information being disseminated to the major companies, most likely from the security authorities before the rest of the world knew about it.

This would have been intended to give the major companies a day or two to get their systems ready for the so-called day zero threat, where it would be an open season in terms of intruders probing systems.

It could be that this information was also leaked to insiders who then sold their stocks in the major IT companies, waiting for a time to repurchase them at a tidy profit. One thing that would certainly be well known to traders is that a news item can push down a company’s stock price, only for it to recover after it blows over.

Day zero plus one

In the next phase, from April 7 to 9, the companies’ stock prices went back up, almost to normal levels. This was the period where the key technical teams within the major IT companies were patching their systems and reporting back. The information coming back perhaps didn’t look too bad on their systems, which would have made them think they weren’t badly exposed.

The vulnerability was only seen as a technical flaw and nothing to alarm the business community. Few at the time were predicting the storm would hit and the impact that it would have. Traders may well have gone back into the market to repurchase stocks that they had sold in the days before.

Day zero plus two

The news of Heartbleed broke in a major way around the world on April 9. Yahoo! and Amazon were heavily quoted in the news and were seen as being at the most risk.

Yahoo! stock lost 9.4%, while Amazon’s lost 8.3%. More curiously Microsoft went down nearly 5%, even though it was not exposed to the vulnerability.

Two things appear to have been going on – the first could have been profit taking. Traders could bail out of a stock, wait for the news item to play through, then go back in when the stock was at its lowest and make a nice profit. The second may have been a general knee-jerk feeling that the internet was cracking, and that the roof was about to collapse. It seemed possible that user trust in online commerce could be broken.

When the news broke, no one really knew what was going on, even at the highest level. Some governments were advising users to change all their passwords immediately, for example, while others were saying don’t change until things had been patched. For a company such as Amazon this lack of user trust, even for a short period, can have major effects on their infrastructure.

The after effects

After the main news events, stock prices mostly went back to where they started. None of the major companies caused the problem, so their reputations have not been tarnished. Yahoo! is now showing a 0.0% change overall, for example.

Some traders may have done well from the rises and falls during the crisis. The evidence suggests that there could have been some insider trading taking place in the days before the story became big news. In theory the companies should have announced the problem to the stock market as soon as they became aware, but this series of events probably illustrates the limits of the duty on companies to disclose: when matters of national security are at stake, the rules may not be so rigorously applied.