Hackers May Have Traded on Stolen SEC DataSEC Commissioner Faces Senate Questioning Over Newly Disclosed May 2016 Breach
The chairman of the U.S. Securities and Exchange Commission will face a Senate committee next week following the agency's disclosure that hackers pulled secret market data from its systems and possibly used it to conduct trades.
In a lengthy statement issued Wednesday, SEC Chairman Jay Clayton writes that a May 2016 hacking incident "may have provided the basis for illicit gain through trading." The attackers targeted EDGAR, an electronic filing system for company data that processes more than 1.7 million documents a year (see Profiting From the SEC Breach).
EDGAR and other SEC systems are attractive targets. While much data collected by the enforcement agency is publicly available, the agency also holds a variety of personally identifiable information and nonpublic data that's used for investigations and other supervisory functions.
"EDGAR is the system that contains all the official filings of public companies, future announcements and other sensitive records and is a treasure trove to cybercriminals and nation states around the world," Chris Pierson, the CSO and general counsel for financial technology payment firm Viewpost, tells Information Security Media Group. "There is a part of the system that houses private filings relating to proposed mergers and acquisitions or other very sensitive corporate matters."
Possessing this nonpublic data could give rogue traders an edge. It's a risk the SEC is well aware of: In recent years, the agency has begun at least three criminal cases centering on the theft of nonpublic information for trading purposes, it says.
The SEC's decision to delay disclosing the 2016 attack has already drawn questions. Sen. Mark R. Warner, D-Virginia, says in a Thursday statement that he plans to query the SEC's breach disclosures requirements, when Clayton appears before the Senate Banking Committee on Sept. 26.
Warner contends that the SEC "should not retreat from its important market oversight role in order to limit its exposure to sensitive information."
Many observers have accused the SEC of setting a bad breach-disclosure example, especially as there are questions over whether publicly traded companies are disclosing their breaches in a timely enough manner to protect investors. In October 2013, the SEC's Division of Corporation Finance began requiring public entities to disclose material cybersecurity risks (see SEC Reportedly Probing Yahoo's Breach Notification Speed).
Data broker Equifax, for example, waited six weeks to disclose the exposure of personal information for 143 million U.S. consumers, 400,000 in the U.K. and 100,000 Canadians (see Equifax's May Mega-Breach Might Trace to March Hack).
"It's critical that the SEC do a better job than Equifax in being transparent about the hack and data exposed," says Atiq Raza, CEO of Virsec Systems, a San Jose, California-based security company that specializes in application security. "Waiting months to act on a breach discovered in 2016 is not a good start."
In general, data breach experts say, all organizations should be able to respond publicly to a breach within 30 to 45 days (see Data Breach Notifications: What's Optimal Timing?).
Warner says the breach of the SEC's systems shows that the commission needs to step up its efforts to protect sensitive personal and commercial information. "Information has become one of our country's most valuable resources, and control of that information comes with significant responsibility," he says.
How did hackers hit the SEC? The agency's Clayton writes that hackers targeted a "test filing component" of EDGAR. The incident was discovered in 2016 and "promptly patched." The SEC did not identify the exploited software. But the SEC only discovered last month that the intrusion might have been linked to suspicious trades.
"We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the commission, or result in systemic risk," Clayton writes. "Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities."
"Given the cryptic release from the SEC, it is impossible to know the extent of the intrusion from May 2016," Viewpost's Pierson says. "What could this [stolen] information be used for? Private filings communicate deals that are about to happen or maybe not happen any longer, which can result in huge profits if someone was to buy or sell shares using this inside information."
EDGAR, which was launched in 1984 - it stands for Electronic Data Gathering, Analysis, and Retrieval - is a frequent attack target, Clayton writes. Attackers try to compromise the credentials of authorized users, gain access to filings, place fraudulent filings and also conduct distributed denial-of-service attacks.
"We are the subject of frequent attempts by unauthorized actors to disrupt access to our public-facing systems, access our data, or otherwise cause damage to our technology infrastructure, including through the use of phishing, malware and other attack vectors," Clayton writes.
That's worrisome because the agency is expanding the amount and type of data it collects. The Consolidated Audit Trail, or CAT, will begin its first stage of operation in November. The cloud-based system will track trading activity in the U.S. equity and options markets. Consultancy PwC says that CAT will aggregate 30 billion to 120 billion trade events per day from over 2,000 sources.
Via CAT, the SEC will "have access to significant, nonpublic, market sensitive data and personally identifiable information," Clayton writes. Because of that, "cybersecurity has been and will remain a key element in the development of CAT systems."
EDGAR and CAT are not the only systems potentially at risk from attackers. In January, the U.S. Department of Homeland Security found five critical vulnerabilities in a scan of 114 SEC computers and devices, Reuters reported Thursday. The scan was done as part of the Federal Cyber Exposure Scorecard, a program that provides weekly updates to 80 civilian government agencies on their cybersecurity stance, the news agency says.
The SEC didn't reveal information about the attackers who struck EDGAR and whether they might be cybercriminals or a group linked to a country.
Tom Kellerman, CEO of Strategic Cyber Ventures and formerly a senior data risk management specialist with the World Bank, says hackers such as the Lazarus Group are seeking to undermine economic sanctions by targeting regulators to steal information that can be used for insider trading purposes (see Kaspersky Links North Korean IP Address to Lazarus).
The U.S. government, as well as many private security firms, suspect that Lazarus Group is linked with North Korea. Lazarus was fingered in the attacks against banks' SWIFT international payments infrastructure. The most prominent attack saw $81 million stolen from the central bank of Bangladesh's account at the Federal Reserve Bank of New York in February 2016 (see Bangladesh Bank Heist: Lessons Learned).
Here's another possible scenario beyond data theft: Attackers might try to manipulate nonpublic data, Kellerman says. The SEC's latest hack, furthermore, doesn't bode well for the information security and integrity of U.S. government systems. Despite the government's increased concern about all matters cybersecurity, it may still be falling short.
"This SEC breach is once again another example that government's security architecture has failed," Kellerman says.
Executive Editor Mathew Schwartz also contributed to this story.