The group responsible for protecting computers at the U.S. Securities and Exchange Commission's Trading and Markets Division traveled with laptops that contained sensitive, yet unencrypted, information on the security of the financial agency, Reuters reported earlier this month.
Members of the group even attended the annual Black Hat Security Briefings conference in Las Vegas, where hackers and security professionals meet to exchange information on threats and defenses, stated the article, citing the yet-unreleased report by the SEC's Office of Inspector General. The Trading and Markets Division sets regulations and oversees compliance for the nation's equity markets. The division tracks information on the information infrastructure of the exchanges and their disaster management policies.
The information, if stolen, could give attackers insight into the way that the U.S. equity markets operated and strategies for disrupting the markets, Adam Levin, chairman and co-founder of Credit.com, said in a post on the potential leak published Nov. 15.
"The fact that SEC employees brought Wall Street’s blueprints to a Black Hat hackers’ conference is both terrifyingly dumb and dumbfounding, despite the fact it appears ... that no data was breached," Levin stated. "Nevertheless, it is hard to conceive of a less secure venue than this get-together where computer security experts and government intelligence leaders swap notes with all stripes of cyber-ninjas."
Contacted by eWEEK, the Office of the Inspector General for the SEC declined to comment, referring requests for the report to the agency's Freedom of Information Act (FOIA) and Privacy office.
The degree to which the information was ever at risk is unclear. However, the agency did hire a third-party security firm to conduct an audit of the information and found no evidence that it had been improperly accessed, the article stated. The cost of the audit was $200,000. The responsible staffers have been disciplined for their actions.
In October 2011, the SEC published guidance for public companies, requiring that they disclose breaches that could matter to investors. Numerous state laws require that companies report breaches that leak personally identifying consumer information to the Internet. In some ways, the SEC guidance holds companies responsible for any major breach.
"Registrants should disclose the risk of cyber-incidents if these issues are among the most significant factors that make an investment in the company speculative or risky," the guidance states. "In determining whether risk-factor disclosure is required, we expect registrants to evaluate their cyber-security risks and take into account all available relevant information, including prior cyber-incidents and the severity and frequency of those incidents."
The SEC's Trading and Markets Division regularly checks exchanges’ compliance with voluntary guidelines known as Automation Review Policies. Under the voluntary policies, the companies that run the exchanges submit to security audits as well as testing of their infrastructure and business processes. Laptops used for such audits may have included maps of the exchanges' infrastructure, disaster recovery plans and audit results, according to the Reuters article.
Credit.com's Levin slammed the SEC and called for legislation that would set prison time for people who put infrastructure in jeopardy, stressing that such information could be used to dismantle the systems that Americans rely on for their way of life.
"If hackers ever managed to steal one of these laptops or gain unauthorized access to the data contained on the hard drives, they not only could have shut down America’s largest stock exchanges, they also could have thwarted emergency efforts to bring those exchange systems back online, perhaps indefinitely," he said.