U.S. Securities and Exchange Commission Admits They Suffered a Data Breach Last Year

Brian Erickson | September 21, 2017

The threat landscape has continued to grow in massive proportions over the years. As we have further implemented technology into our daily operations, attackers have upped their game as far as targeting these technologies. There are several industries that tend to receive pretty high numbers of attacks, with one of these being governmental organizations. These types of institutions can have huge databases of personal and internal data that can be extremely valuable to attackers. The attacker may be seeking to sell stolen information, wreak havoc, or exfiltrate vital intelligence. Yet another governmental institution has been targeted by hackers in what appears to be mostly a financial gain related attack.  

News of the Breach

The organization targeted was the U.S. Security and Exchange Commission (SEC), whose purpose is enforcing security laws to protect Americans. Their purview includes regulations and securities regarding the realm of trading and investing. Recently, they admitted that their systems were hacked last year, and it is believed that the purpose was to gain information that could be used for illicit insider trading. This is when an individual uses ill-intentioned means to obtain data about trade deals and acquisitions that are not yet known by the public, which they can then employ to predictively place their investments. Of course, this is highly illegal, and the SEC had already brought a case of insider training against rogue stock traders back in 2015. Back to the recent incident, the attack had targeted the SEC’s filing system, which is called Edgar. This system processes around 1.7 million filings per year. The perpetrator had compromised a software vulnerability contained in the test filing section of Edgar, allowing them to access non-public information. Upon discovering this incident, the vulnerability had been rapidly patched and the SEC began an investigation along with the proper authorities. The attack is not believed to have compromised any other SEC systems. The breach had initially been discovered during an audit ordered by the chairman, which also found out that employees had used private unsecured email accounts in sending confidential data.

This incident proves a point that was made by the Government Accountability Office (GAO) back in July. They had released a 27-page report detailing deficiencies located in the SEC’s systems that were said to limit the “effectiveness of the S.E.C’s controls for protecting confidentiality, integrity, and availability.” The GAO had also discovered that the SEC was not always encrypting data and that they had failed in implementing recommendations from that would assist in detecting infiltration. The SEC had implemented some of the recommendations, but perhaps leaving some of them out had contributed to this breach. Although, this can only be speculated at this time.

Bolstering Cyber Security

Cyber security has become one of the most important propositions in our daily operations. Just as organizations have physical security components in place, they must also ensure cyber security is up to par. Negligence in this area can result in massive breaches and attacks that could potentially cause an organization to fail in severe cases. There are numerous cyber security implements that can help protect the data of organizations, and they just need to be put in place. It can sometimes be expensive to improve cyber security, but this is simply an investment, as a significant cyber attack or breach can be much more costly. The cost is really no excuse for an organization to leave their own data, and that of their customers, at risk. Massive Alliance offers a wide array of cyber security tools and services that can protect the data and systems of organizations.

Operations Manager
Avid documenter of all things risk. Passionate about protecting people, property, and performance (PPPP) against risks. Enjoys advanced technology-led resilience solutions which identify relevant threats, warn those affected, and prescribe what action to take.