Hack of SEC files opens door to illegal insider trading
Breach has experts questioning government security, transparency, encryption, more
By Byron Acohido, ThirdCertainty
First Equifax. Now the SEC. Who’s next?
Last week the U.S. Securities and Exchange Commission announced that hackers breached the SEC’s EDGAR database … back in May 2016!
SEC Chairman Jay Clayton issued a carefully worded statement putting this spin on the agency’s mea culpa: “We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”
Related article: Experts discuss implications of Equifax data breach
EDGAR—an acronym for Electronic Data Gathering, Analysis, and Retrieval—is a storehouse of disclosures companies make to everyone, such as annual and quarterly reports. Crucially, EDGAR also houses private filings relating to news releases, proposed mergers and acquisitions, and other delicate matters that can impact stock prices. ThirdCertainty convened a roundtable of experts to flesh out the wider implications.
Chris Pierson, Chief Security Officer, Viewpost
“Given the cryptic release from the SEC it is impossible to know the extent of the intrusion … but one has to assume if these private files are in the zone of information (they were) likely to have been targeted and exfiltrated. Private filings communicate deals that are about to happen or may not be happening any longer. If someone was to buy or sell shares using this inside information, huge profits could result. This is a direct financial motivation that would benefit both cyber criminals and nation-states—either by their acting on the information or selling it for profit.”
Tom Kellermann, CEO, Strategic Cyber Ventures
“This SEC breach is once again another example that government’s security architecture has failed. Nation-states are targeting regulators to counteract economic sanctions through digital insider trading and front running. The Lazarus Group has been doing this for a year. I am concerned that the attack on the SEC could allow for island hopping into all who visit (the) networks … thus allowing nonpublic market data to be manipulated.”
Atiq Raza, CEO, Virsec Systems
“This attack is especially alarming because of the clear path to monetize this data through illicit trading. We’re also seeing continued erosion of the trust that organizations like the SEC, as well as credit bureaus, financial institutions, health care providers, and government agencies need to operate. It’s critical that the SEC do a better job than Equifax in being transparent about the hack and data exposed. Waiting months to act on a breach discovered in 2016 is not a good start.”
Jeff Hill, Director of Product Management, Prevalent
“The EDGAR episode is tantalizingly efficient for bad actors: penetrate once, compromise many. Rather than hacking multiple public companies to illicitly gather valuable insider information, the EDGAR perpetrators could parlay a single breach into a potential monetizable data bonanza. Further, trading on insider information could be exponentially more lucrative than selling stolen credit card numbers on the dark web. It appears from initial reports that the attackers weren’t discovered by traditional security methods, but rather their insider trading behavior may have been the activity that aroused suspicion, a particularly disconcerting reality for the SEC’s security professionals if, in fact, that’s the case.”
Kunal Anand, CTO, Prevoty
“The disclosure by the SEC furthers the point that strengthening application security is critical. In this case, a vulnerable piece of software was used to exfiltrate sensitive and ephemerally private information. On the heels of the now historical Equifax breach, two burning questions are top of mind. Was the vulnerable software component previously known and did EDGAR fail to patch it? Also, why wasn’t this information encrypted, or was it encrypted and did attackers compromise sensitive keys?”
Gabriel Gumbs, VP of Product Strategy, STEALTHbits Technologies
“In 2015 Business Wire, PR Newswire and Marketwired were all hacked by the same group of perpetrators. They stole 100,000 news releases, traded ahead of more than 800 company financial releases and made more than $30 million in fraudulent stock market trades on this information. Other financially motivated hackers were clearly paying attention, as the SEC hack targeted the same type of information. Protecting information that will be made public but has to remain private for some period of time is very difficult to govern.”
More stories related to government cybersecurity:
Bridging the gap between government and Silicon Valley
Trump’s efforts to address national cybersecurity should be applauded
Trump’s order to strengthen cybersecurity is a step in right direction