Undisclosed SEC breach may have led to illegal stock trades
The U.S. Securities and Exchange Commission admitted a 2016 breach that was previously undisclosed may have enabled threat actors to engage in illegal stock trades.
The U.S. Securities and Exchange Commission this week acknowledged that a known, but previously undisclosed, data breach from 2016 may have had a bigger impact than the agency previously thought.
On Sept. 20, 2017, Securities and Exchange Commission Chairman Jay Clayton said in a statement that the 2016 SEC breach of the EDGAR system -- used for storing and searching corporate financial filings -- may have led to the compromised data being used to facilitate illegal stock trades based on insider information.
"A software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information," Clayton wrote in the statement. "We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk."
Travis Smith, principal security researcher at Tripwire Inc. in Portland, Ore., said it should be no surprise that the SEC was the target of an attack.
"The SEC is a juicy target because they store nonpublic information, which can be used to exploit the stock market -- not exploiting in the technical sense, but using the nonpublic information to successfully invest in the stock market," Smith told SearchSecurity. "By making legitimate trades, they avoid the watchful eye of law enforcement scanning the black market for criminals selling stolen information."
Responsible disclosure
While the 2016 SEC breach was known by the agency, it was never disclosed to the public; the expanded impact of the incident was not uncovered until August -- more than one year after the attack.
The admission of the potential insider trading that may have resulted from the SEC breach came 1,400 words into a post of more than 4,000 words about how the SEC "is focused on identifying and managing cybersecurity risks."
"I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face," Clayton wrote. "That stark reality makes adequate disclosure no less important. Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself. Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery."
Brad Kellersenior director, Prevalent Inc.
Brad Keller, senior director of third-party strategy at risk management company Prevalent Inc., based in Warren, N.J., told SearchSecurity, "This suggests ... the SEC, like most companies, doesn't fully understand how the information in its various databases can be used. Taking this a step further, it suggests that they don't fully appreciate what information truly needs to be protected."
Chris Pierson, CSO at electronic payment provider Viewpost in Maitland, Fla., said the SEC breach was especially significant because the SEC's Division of Corporation Finance "spearheaded the requirement that public entities disclose material cybersecurity risks."
"[This] is a watershed event for the American financial system and markets," Pierson told SearchSecurity. "Given the cryptic release from the SEC, it is impossible to know the extent of the intrusion from May 2016 until nearly a year later, but one has to assume if these private files are all controlled through EDGAR they are in the zone of likely information to have been targeted and exfiltrated."
Ben Johnson, co-founder and CTO for infosec startup Obsidian Security in Newport Beach, Calif., said the fact that the SEC breach occurred more than one year ago and the SEC didn't disclose it is troubling.
"With any compromise, it's usually very difficult to figure out what information was read and exfiltrated. While technical details so far are sparse, it's possible that no one would know exactly what was accessed within the SEC," Johnson told SearchSecurity. "Combining the difficulty of tying together multiple events with the difficulty of knowing what information was accessed means that from a purely cyber and digital forensics perspective, it could be incredibly difficult to prove specific trades were tied to compromise at the SEC. It is often through piecing together multiple forms of intelligence that intent, causation or correlation can be surmised."