Skip to main content
close search
site logo
Dive Brief

SEC data breach may have led to 'illicit gain through trading'

Published Sept. 21, 2017
Samantha Schwartz's headshot
Samantha Schwartz Reporter

Dive Brief:

  • Chairman Jay Clayton of the U.S. Securities and Exchange Commission (SEC) issued a statement on Wednesday revealing a 2016 data breach of classified information in its Electronic Data Gathering, Analysis and Retrieval (EDGAR) system. The breach may have led to "illicit gain through trading," he said. 
  • The intrusion was detected in 2016 and a patch was administered. However, the SEC learned in August that hackers were still able to exploit the software vulnerability in EDGAR's test filing component. The EDGAR system processes 50 million pages of documents made available to investors and market participants — but not the public — each day, according to a statement made by Clayton.
  • Clayton said the SEC believes the breach "did not result in unauthorized access to personally identifiable information, jeopardize the operation of the Commission or result in systemic risk," but authorities are going to continue investigating the incident. 

Dive Insight:

Breaches and widespread malware attacks have plagued 2017 and could cost the U.S. more than $121 billion a year. Cybersecurity is a layer of protection no organization, private or public, can afford to ignore.

In its 2016 security report, the Government Accountability Office (GAO) found the SEC did not regularly update its software and hardware with appropriate security configurations. In its 2017 report, the GAO determined the SEC improved its configuration management controls but used "unsupported software to process financial data." Additionally, the SEC did not regularly monitor its financial systems' security configurations.

The SEC's breach was a result of a vulnerability in patched software. The U.S. government's federal IT budget is $80 billion with 75% delegated to system maintenance. Despite this, Security Scorecard ranked the government 16th out of 18 industries for patching applications.

Outdated software or hardware grants easy access to hackers. May's WannaCry attack found a hole in Windows 7 after users ignored Microsoft's push for the more secure Windows 10 update.

The GAO found slight improvements in the SEC's network accessibility, but there were still weaknesses in creating boundary protection for its financial network. In 2016, the EDGAR system had insufficient authorization measures after the GAO found the SEC failed to remove nine of 66 expired administrator accounts from its network's list of authorized users. Human error, like retaining former employee access credentials, accounts for 90% of security breaches across industries.

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Newgen Software reports Revenues from operations at Rs 361 cr in Q2 FY’25, up 23% YoY
From Newgen Software
October 16, 2024
A10 Networks Outlines Blueprint to Secure and Deliver AI Applications and Help Increase Cyber …
From A10 Networks
October 16, 2024
DigiCert Welcomes Lakshmi Hanspal as New Chief Trust Officer
From DigiCert
October 24, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell