A judgment published online today, Fast Track Holdings Ltd (FT) v BOCI Securities Ltd (BOCIS) (HCA 2480/2016) explains why there was a huge spike in the volume and price of Pa Shun Pharmaceutical International Holdings Ltd (PSP, 0574) on 23-Sep-2016. Volume was 92.568m shares or 9.26% of PSP and the price at one point reached $0.88, up 57.1% on the previous close of $0.56, before closing at $0.66, up 17.9%
FT is a company which has been 49% owned by Sun Hung Kai & Co Ltd (SHKC, 0086) since 2009. According to the judgment, FT is engaged in the trading of securities, options and futures contracts and investment holding. It has low-rent government premises at our esteemed Cyberport, shared with an asset manager called Dragon Field Investment Ltd, SFC-licensed since 27-Jul-2015. Being at the Cyberport, they don't have a web site, of course.
FT alleges that between 14:40 and 15:22 that day, unauthorised person(s) logged into its account at BOCIS with a valid user ID and password, from IP address 126.96.36.199, and in the space of 18 minutes from 15:03 to 15:21, bought a total of 49.2m shares (4.92%) of PSP from a total of 76 selling brokers. The purchases cost HK$37.69m (including fees and levies), draining almost all of the $37.85m cash in the account, at an average price of $0.7636 per share, 36.4% above the previous day's close. The shares closed today (13-Oct-2016) at $0.55, resulting in a book loss of HK$10.5m so far.
Those trades were settled on 27-Sep-2016 and the Webb-site CCASS Analysis System shows the net movements. The IP address tracks to an account at ctinets.com, or HK Broadband Network, so they will probably be able to track that to a particular HKBN user's account, although of course that doesn't prove that the HKBN customer was the person online - it could just be someone using their Wi-Fi network.
One seller which benefited from this ferocious buying is Advance Apex Ltd (AA, BVI), which sold 34.9m shares at an average of $0.746 and a high of $0.85, cutting its stake from 17.45% to 13.96%. AA is 47% owned by PSP non-executive director Li Ho Tan, 50% by Cheung Chi Mang and 3% by Yu Wentao.
FT claims it should not be held responsible for the purchases, while BOCIS points to the client agreement, clause 15.3 of which states that BOCIS can rely on any instructions given by "any other person purporting to be you". The issue at trial will likely be whether there are limitations to this clause - for example, if a rogue former employee of BOCIS had somehow obtained the user ID and password and impersonated FT, then BOCIS might not be able to avoid liability if its security policies had facilitated this. Good security policies include not storing plaintext passwords on the server - hopefully they store only salted hashes (as Webb-site does), so that insiders cannot read user passwords.
The judgment makes no mention of any 2-factor authentication. A user ID and password were apparently enough to get into the account. In a 2-factor system, the 2nd factor after your password is usually a pseudo-random number generated by a gadget, or a similar one-time passcode sent by SMS to a phone (although obviously that doesn't help if the rogue has gained access to your gadget or phone). Now we don't know whether FT is an institutional or retail client, and whether institutional clients have the option of 2-factor authentication, but a visit to the BOCIS retail login pops up this:
黑客個 IP 在將軍澳茅湖仔村，非執Li Ho Tan這天減持後至10月6日都有減持減持紀錄。我估這位非執好大機會財困。