Skip to main content
Feb 03, 2011

Focus on security following leaks

Companies urged to check website security and disclosure policies following third major earnings leak in three months

Companies are reviewing their website security following the latest earnings leak at a public company in the US.

Last week, Microsoft saw its second quarter results published 70 minutes early after a search spider guessed the URL of the company’s unpublished earnings release.

Search spiders are computer programs that crawl websites looking for both published and unpublished information. NetApp and The Walt Disney Company were caught out in a similar way last November.

In response to the earnings leak, Microsoft is currently undertaking an investigation to find out what exactly went wrong. The company has stated it will work to ensure this does not happen again.

Meanwhile, Intel has made changes to its website security following the leaks at Microsoft and other companies.

‘We have found a number of issues and have done a great deal of work on it,’ comments Kevin Sellers, head of IR at Intel.

IR departments received a further call to action this week, when NIRI’s president and chief executive Jeff Morgan urged IROs to review their disclosure procedures in his weekly newsletter.

‘Ensure your earnings release information and other undisclosed information is secure,’ wrote Morgan.

Microsoft was caught out because the URL of its second quarter release was almost exactly the same as the previous quarter’s address.

Any web user could have found the release, simply by exchanging ‘Q1’ for ‘Q2’ in the web address of the prior release.

Companies can protect themselves against leaks by adding random numbers to URLs and also keeping sensitive documents, like earnings releases, off public servers until the time comes to publish them.

‘While in the most recent cases it does seem as though a randomized filename would’ve been a sufficient preventative measure, we feel that the best way to safeguard against these leaks is to ensure that sensitive information is not present on any publicly available web servers prior to full dissemination in accordance with Reg FD requirements,’ comments Bradley Scott, product manager for SNL IR Solutions.

‘My personal view is that companies really should be using a system that has been designed for public companies and their specific risks,’ notes Darrell Heaps, chief executive of Q4 Web Systems.

‘Addressing this at a manual level and having a disclosure policy are starting points. However, humans make mistakes and, as such, things like this should really be taken care of by software.’

Clicky