Skip to main content
close search
site logo
Dive Brief

SEC data breach may have led to 'illicit gain through trading'

Published Sept. 21, 2017
Samantha Schwartz's headshot
Samantha Schwartz Reporter

Dive Brief:

  • Chairman Jay Clayton of the U.S. Securities and Exchange Commission (SEC) issued a statement on Wednesday revealing a 2016 data breach of classified information in its Electronic Data Gathering, Analysis and Retrieval (EDGAR) system. The breach may have led to "illicit gain through trading," he said. 
  • The intrusion was detected in 2016 and a patch was administered. However, the SEC learned in August that hackers were still able to exploit the software vulnerability in EDGAR's test filing component. The EDGAR system processes 50 million pages of documents made available to investors and market participants — but not the public — each day, according to a statement made by Clayton.
  • Clayton said the SEC believes the breach "did not result in unauthorized access to personally identifiable information, jeopardize the operation of the Commission or result in systemic risk," but authorities are going to continue investigating the incident. 

Dive Insight:

Breaches and widespread malware attacks have plagued 2017 and could cost the U.S. more than $121 billion a year. Cybersecurity is a layer of protection no organization, private or public, can afford to ignore.

In its 2016 security report, the Government Accountability Office (GAO) found the SEC did not regularly update its software and hardware with appropriate security configurations. In its 2017 report, the GAO determined the SEC improved its configuration management controls but used "unsupported software to process financial data." Additionally, the SEC did not regularly monitor its financial systems' security configurations.

The SEC's breach was a result of a vulnerability in patched software. The U.S. government's federal IT budget is $80 billion with 75% delegated to system maintenance. Despite this, Security Scorecard ranked the government 16th out of 18 industries for patching applications.

Outdated software or hardware grants easy access to hackers. May's WannaCry attack found a hole in Windows 7 after users ignored Microsoft's push for the more secure Windows 10 update.

The GAO found slight improvements in the SEC's network accessibility, but there were still weaknesses in creating boundary protection for its financial network. In 2016, the EDGAR system had insufficient authorization measures after the GAO found the SEC failed to remove nine of 66 expired administrator accounts from its network's list of authorized users. Human error, like retaining former employee access credentials, accounts for 90% of security breaches across industries.

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell