- Chairman Jay Clayton of the U.S. Securities and Exchange Commission (SEC) issued a statement on Wednesday revealing a 2016 data breach of classified information in its Electronic Data Gathering, Analysis and Retrieval (EDGAR) system. The breach may have led to "illicit gain through trading," he said.
- The intrusion was detected in 2016 and a patch was administered. However, the SEC learned in August that hackers were still able to exploit the software vulnerability in EDGAR's test filing component. The EDGAR system processes 50 million pages of documents made available to investors and market participants — but not the public — each day, according to a statement made by Clayton.
- Clayton said the SEC believes the breach "did not result in unauthorized access to personally identifiable information, jeopardize the operation of the Commission or result in systemic risk," but authorities are going to continue investigating the incident.
Breaches and widespread malware attacks have plagued 2017 and could cost the U.S. more than $121 billion a year. Cybersecurity is a layer of protection no organization, private or public, can afford to ignore.
In its 2016 security report, the Government Accountability Office (GAO) found the SEC did not regularly update its software and hardware with appropriate security configurations. In its 2017 report, the GAO determined the SEC improved its configuration management controls but used "unsupported software to process financial data." Additionally, the SEC did not regularly monitor its financial systems' security configurations.
The SEC's breach was a result of a vulnerability in patched software. The U.S. government's federal IT budget is $80 billion with 75% delegated to system maintenance. Despite this, Security Scorecard ranked the government 16th out of 18 industries for patching applications.
The GAO found slight improvements in the SEC's network accessibility, but there were still weaknesses in creating boundary protection for its financial network. In 2016, the EDGAR system had insufficient authorization measures after the GAO found the SEC failed to remove nine of 66 expired administrator accounts from its network's list of authorized users. Human error, like retaining former employee access credentials, accounts for 90% of security breaches across industries.