Ion: after the hack, the clean-up
Some clients are now using Ion systems again, but synchronizing data with CCPs could take days.
Ion Group is allowing some customers to access its systems again after a cyber attack took them offline last week, though it could still be days before the affected services are fully functional.
Clients were informed on February 5 that restoration of the servers and data for futures trading service XTP was around 80–90% complete.
“They have already brought two players back online, and they’re replaying prior trade day activity to bring them current,” says a source who has been working with affected customers.
Users who regain access to XTP must still back-fill the data—loading in trades that were entered manually while the software was offline—and also synchronize their records with futures clearinghouses. That could take days, or longer.
“It looks like we’re within a couple of days of people getting their Ion systems delivered back to them,” says the source. “It could be days or weeks to get caught up and resynchronize with all the clearinghouses.”
The amount of backfilling work has been shifting. A source at one European bank says Ion initially planned to restore user data up to to January 27—the Friday before the hack was discovered—but that has since been pushed back to January 24. Customers will therefore have to backfill around two weeks of trade data when they regain access to XTP.
“Their initial feedback was to restore to the 27th because they thought they were clean, but over the weekend the CrowdStrike people said they were not certain the backup would be clean,” the European bank source says. “So, they pushed it back to the 24th.”
CrowdStrike, a cyber security firm, is helping Ion analyze and test the restored systems.
Banks may also need a green light from their in-house cyber security teams before reconnecting to Ion’s systems, which could further delay a return to business-as-usual.
“Step one will be Ion handing over to the bank; step two will be each bank doing its own due diligence to determine whether they want to turn the pipes back on,” says the source working with affected customers. “Ion is leaning on CrowdStrike to clean any environments that are being restored to provide some assurance of safety with regard to reconnecting services.”
Some client sources affected by the outage say Ion has been inconsistent in communicating the status of the recovery efforts. “We do get the feeling they are still in quite the disarray at Ion. We get a lot of non-coherent and conflicting information back on our questions from them. We certainly will not open any firewalls soon toward them,” the European bank source says.
We’ve got some people working through the night, logging into exchange websites to manually clear the trades
Source at a bank that uses the service
Ion’s recovery efforts to date appear to be focused primarily on XTP, which covers everything from trade execution to clearing workflows and risk analytics. The service was rebranded and relaunched last November, after a suite of existing products had been stitched together to provide “end-to-end” functionality.
The cyber attack also took out other Ion services, including a trade matching system called Seals, a margin calculation engine, and some lesser-used products. Of the 42 impacted clients, 11 are said to be XTP users.
Yesterday, Seals was still offline, with customers awaiting updates on when it would be restored.
“They said the ETA was three days, but that hasn’t happened,” says a source at a client that uses the service, speaking on February 6. “As of this morning, it is still not back up and running. As of right now, I don’t know where we are at.”
The outage has caused significant disruption to the bank’s futures business, this person says. “We’ve got a bunch of exchanges that clear through Seals, which is the product that was affected, and we are having to manually clear our trades. We’ve got some people working through the night, logging into exchange websites to manually clear the trades,” they say.
A second source who uses Seals says the service was down yesterday and is still down today.
Demands met?
It remains unclear how the cyberattack was resolved. Once they have successfully infiltrated a target’s systems, ransomware criminals may try to steal confidential data—demanding a ransom not to publish it—and may also charge the target for a decryption key that will allow them to access their servers again.
The hacking group LockBit, which carried out the attack, told Reuters on Friday that its demands had been met, without specifying who had made the payment.
Sources give mixed reports on what users have been told by Ion. The European bank source says representatives of Ion denied they had paid during a call with clients on February 5. The source working with affected customers says Ion did not respond directly when asked about the ransom.
According to sources, Ion decided last week to rebuild its servers and restore data from backups rather than pay for a decryption key from the hackers.
A chief compliance officer at a US broker-dealer says rebuilding systems is best practice, regardless of whether a ransom was paid to protect confidential data. “Even with the encryption key in hand, restoring files would be time-consuming, and if they planted a backdoor they could always ransom the firm again, so many people advise to rebuild if you can.”
An Ion spokesperson declined to comment on whether the ransom had been paid.
With additional reporting by Anthony Malakian
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
More on Data Management
The IMD Wrap: Talkin’ ’bout my generation
As a Gen-Xer, Max tells GenAI to get off his lawn—after it's mowed it, watered it and trimmed the shrubs so he can sit back and enjoy it.
Waters Wavelength Podcast: The issue with corporate actions
Yogita Mehta from SIX joins to discuss the biggest challenges firms face when dealing with corporate actions.
Data catalog competition heats up as spending cools
Data catalogs represent a big step toward a shopping experience in the style of Amazon.com or iTunes for market data management and procurement. Here, we take a look at the key players in this space, old and new.
This Week: JP Morgan, Broadridge, Lloyds, JSE, Schroders, and more
A summary of the latest financial technology news.
What firms should know ahead of the DSB’s UPI launch
Six jurisdictions have set deadlines for firms to implement the derivatives identifier, with more expected to follow.
Has cloud cracked the multicast ‘holy grail’ for exchanges?
An examination of how exchanges—already migrating to the cloud—are working to solve the problem of multicasting in a new environment.
Waters Wrap: Market data spend and nice-to-have vs. need-to-have decisions
Cost is not the top factor driving the decision to switch data providers. Anthony looks at what’s behind the evolution of spending priorities.
The consolidated tapes are taking shape—but what shape exactly?
With political appetite established on both sides of the Channel, attention is turning to the technical details.