Actionable news
All posts from Actionable news
Actionable news in STJ: ST. JUDE MEDICAL Inc,

Carson Block's Attack on St. Jude Reveals a New Front in Hacking for Profit

  • MedSec found cybersecurity vulnerabilities in pacemakers
  • The firm’s strategy is a "watershed moment" for disclosure

When a team of hackers discovered that St. Jude Medical Inc.’s pacemakers and defibrillators had security vulnerabilities that could put lives at risk, they didn’t warn St. Jude. Instead, the hackers, who work for cybersecurity startup MedSec, e-mailed Carson Block, who runs the Muddy Waters Capital LLC investment firm, in May. They had a money-making proposal.

MedSec suggested an unprecedented partnership: The hackers would provide data proving the medical devices were life-threatening, with Block taking a short position against St. Jude. The hackers’ fee for the information increases as the price of St. Jude’s shares fall, meaning both Muddy Waters and MedSec stand to profit. If the bet doesn’t work, and the shares don’t fall, MedSec could lose money, taking into account their upfront costs, including research. St. Jude’s shares declined 4.4 percent to $77.50 at 1:40 p.m. in New York with more than 25 million shares traded.

In April, Abbott Laboratories announced a $25 billion acquisition of St. Jude, and the deal is expected to close by the end of the year. The information about the device vulnerabilities could put it in peril.

MedSec said it found security failures including a lack of encryption and the ability for unauthorized devices to communicate with the pacemakers and defibrillators, which, MedSec claims, could allow anyone to tap into implanted devices and cause potentially fatal disruptions. As scary as it sounds, hacking risks to medical devices have been publicized for nearly a decade and the risk to patient safety is still mostly theoretical to hundreds of thousands of people with St. Jude devices. But cybercriminals have started compromising radiology equipment, blood gas analyzers and other machines inside hospitals and nursing homes to steal data for identity theft.

"St. Jude Medical takes the security of devices and their data very seriously," Candace Steele Flippin, St. Jude’s vice president of external communications, said in a statement. "Protection of confidential patient and consumer information is a high priority for us, and we will remain vigilant to the ever-increasing sophistication of those seeking unlawful access to such data. St. Jude Medical has an ongoing program to perform security...