SEC Reveals Data Breach Caused By Software Application Vulnerability

Another data breach has taken advantage of application vulnerabilities in a major organization, as the U.S. Securities and Exchange Commission disclosed a data breach that exploited a software vulnerability in its database filing application.

In a public statement Wednesday, SEC Chairman Jay Clayton said the organization detected an intrusion by attackers in 2016, which it said "provided the basis for illicit gain through trading." The breach was the result of a software vulnerability in the test filing component of the EDGAR system, an application that stores and allows users to access publicly filed financial regulatory documents, he said.

The software vulnerability was patched after discovery, according to Clayton. However, prior to patching the vulnerability was exploited, resulting in "access to nonpublic information," he said. The SEC does not believe hackers stole any personally identifiable information or jeopardized any SEC operations, he said, but is investigating whether hackers used the information to profit from market movements or place fake SEC filings on the site.

[Related: Data Breach At Credit Services Company Equifax Affects 143 Million Customers]

id
unit-1659132512259
type
Sponsored post

The SEC did not provide any information on what companies were affected by the breach or how extensive it was.

The public statement also said the SEC had an incident in 2014 following an internal review in which laptops containing nonpublic regulatory information were lost, as well as separate incidents where personnel used non-secure email accounts to share nonpublic information.

"I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important. Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself," Clayton said. "Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery."

Clayton's public statement said the SEC recognizes the importance of cybersecurity and uses an organizationwide program for threat detection, protection and prevention. It said it also does regular cybersecurity and privacy training. In wake of the incident, Clayton said the SEC expects to hire more expertise around cybersecurity.

The breach is the second major breach in the past few weeks that leveraged an application vulnerability to gain access to information in a major organization. Earlier this month, Equifax revealed a significant data breach impacting 143 million customers. The credit reporting agency said hackers infiltrated its system, stealing significant personally identifiable information through a vulnerability in a U.S. website application.

Terry Murray, president of San Antonio-based Prescriptive Data Solutions, said the breach is yet another sign of an organization waiting for a catalyst to make significant changes in its security practice.

"I'm at a loss [as to] what to say," Prescriptive Data Solutions' Murray said. "With all the spend on technology, it seems to be having so little impact on the fundamental ability to just protect the data. We're not winning at all."

Murray said he is starting to slowly see customers put more focus on application security, although he said the majority seem to still center on traditional identity management and security. Events like this one should help spur those investments by customers, but the gap remains wide between customers who are taking sophisticated security approaches and those that are laggards, he said.

Some of the solution provider's more advanced customers are looking to integrate security further into the DevOps process, according to Murray. However, that can be a challenging conversation between security teams and developers, as security can be seen as slowing down or inhibiting the DevOps process, he said.

"I'm sure it's coming," Murray said.