Another data breach has taken advantage of application vulnerabilities in a major organization, as the U.S. Securities and Exchange Commission disclosed a data breach that exploited a software vulnerability in its database filing application.
In a public statement Wednesday, SEC Chairman Jay Clayton said the organization detected an intrusion by attackers in 2016, which it said "provided the basis for illicit gain through trading." The breach was the result of a software vulnerability in the test filing component of the EDGAR system, an application that stores and allows users to access publicly filed financial regulatory documents, he said.
The software vulnerability was patched after discovery, according to Clayton. However, prior to patching the vulnerability was exploited, resulting in "access to nonpublic information," he said. The SEC does not believe hackers stole any personally identifiable information or jeopardized any SEC operations, he said, but is investigating whether hackers used the information to profit from market movements or place fake SEC filings on the site.
The SEC did not provide any information on what companies were affected by the breach or how extensive it was.
The public statement also said the SEC had an incident in 2014 following an internal review in which laptops containing nonpublic regulatory information were lost, as well as separate incidents where personnel used non-secure email accounts to share nonpublic information.
"I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important. Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself," Clayton said. "Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery."
Clayton's public statement said the SEC recognizes the importance of cybersecurity and uses an organizationwide program for threat detection, protection and prevention. It said it also does regular cybersecurity and privacy training. In wake of the incident, Clayton said the SEC expects to hire more expertise around cybersecurity.
The breach is the second major breach in the past few weeks that leveraged an application vulnerability to gain access to information in a major organization. Earlier this month, Equifax revealed a significant data breach impacting 143 million customers. The credit reporting agency said hackers infiltrated its system, stealing significant personally identifiable information through a vulnerability in a U.S. website application.
Terry Murray, president of San Antonio-based Prescriptive Data Solutions, said the breach is yet another sign of an organization waiting for a catalyst to make significant changes in its security practice.