A team of hackers recently discovered that pacemakers and defibrillators manufactured by St. Jude Medical had security vulnerabilities that could be putting lives at risk.
I know what you’re thinking: of course, when these hackers discovered the flaw, they went straight to St. Jude to inform them? Or maybe the FDA? Nope.
Instead, the hackers – part of a company called MedSec – hatched a plan. They approached an investment firm with an idea that’s almost so crafty it could belong in one of the original Super Man films: MedSec would publicly reveal the information on the security flaw, but not before the investment firm – Muddy Waters Capital LLC – took the short side on St. Jude.
The deal was, MedSec would make money increasingly as the stock fell while, of course, Muddy Waters would too.So, when St. Jude dipped 4.4 percent based on the revelation, the scheme worked. But was this the unethical extortion move MedSec could have made? Why not tell St. Jude of the security vulnerability so they could… you know… fix it?
Well, that’s where the waters get even muddier. MedSec says the reason they took this approach was because St. Jude wouldn’t have. In fact, MedSec’s CEO Justine Bone, in an interview with Bloomberg, suggests that her company’s fear was St. Jude would sweep this under the rug or they would find themselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing.
She says they “partnered” with Muddy Waters because the investment firm has a history of holding big companies accountable. Bone calls out St. Jude hard, even saying that the company has done nothing about other security vulnerabilities revealed to them way back in 2013.
So, will other hackers take a cue here and use this type of information for backroom partnerships where they can make money with an investment partner, keeping the public blissfully unaware until they can score their payday? Maybe they already are.