The Security Exchange Commission (SEC) announced on Wednesday that its EDGAR database was compromised in 2016.
This database stores non-public information on businesses, such as quarterly earnings, and statements on merger and acquisition dealings.
According to the agency, the compromise was due to a software vulnerability being exploited on its systems, which was promptly patched back in 2016:
“In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”
The attackers, in this instance, were after what all attackers are after – data.
However, instead of stealing data to re-use and/or sell on the black market, the attackers used this data to invest in the stock market with non-public information.
This matches the modus operandi for a wide range of criminal groups. Creating and maintaining a successful cybercriminal organization requires funds; which can be raised by investing in the stock market.
In response to the data breach, SEC Chairman Jay Clayton said in the statement:
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic. We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
As with most breaches, this highlights the importance of promptly installing patches for known vulnerabilities. The Verizon Data Breach Investigations Report every year states that exploitation of known vulnerabilities is one of the top methods attackers use to gain access to corporate networks.
According to the Center for Internet Security, following just the first five foundational controls will prevent 85 percent of attacks against your environment.