Report: US Finance Officials Brought Sensitive Data To Hacker Convention

The group responsible for protecting computers at the US Securities and Exchange Commission’s Trading and Markets Division travelled with laptops that contained sensitive, yet unencrypted, information on the security of the financial agency, according to a report by Reuters.

Members of the group even attended the annual Black Hat Security Briefings conference in Las Vegas, where hackers and security professionals meet to exchange information on threats and defences, stated the article, citing the yet-unreleased report by the SEC’s Office of Inspector General.

Potential for disruption

The Trading and Markets Division sets regulations and oversees compliance for the US’ equity markets. The division tracks information on the information infrastructure of the exchanges and their disaster management policies.

The information, if stolen, could give attackers insight into the way that the US equity markets operated and strategies for disrupting the markets, Adam Levin, chairman and co-founder of Credit.com, said in a post on the potential leak published on 15 November.

“The fact that SEC employees brought Wall Street’s blueprints to a Black Hat hackers’ conference is both terrifyingly dumb and dumbfounding, despite the fact it appears … that no data was breached,” Levin stated. “Nevertheless, it is hard to conceive of a less secure venue than this get-together where computer security experts and government intelligence leaders swap notes with all stripes of cyber-ninjas.”

Contacted by eWEEK, the Office of the Inspector General for the SEC declined to comment, referring requests for the report to the agency’s Freedom of Information Act (FOIA) and Privacy office.

The degree to which the information was ever at risk is unclear. However, the agency did hire a third-party security firm to conduct an audit of the information and found no evidence that it had been improperly accessed, the article stated. The cost of the audit was $200,000 (£125,000). The responsible staffers have been disciplined for their actions.

Breach disclosure

In October 2011, the SEC published guidance for public companies, requiring that they disclose breaches that could matter to investors. Numerous state laws require that companies report breaches that leak personally identifying consumer information to the Internet. In some ways, the SEC guidance holds companies responsible for any major breach.

“Registrants should disclose the risk of cyber-incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” the guidance states. “In determining whether risk-factor disclosure is required, we expect registrants to evaluate their cyber-security risks and take into account all available relevant information, including prior cyber-incidents and the severity and frequency of those incidents.”

The SEC’s Trading and Markets Division regularly checks exchanges’ compliance with voluntary guidelines known as Automation Review Policies. Under the voluntary policies, the companies that run the exchanges submit to security audits as well as testing of their infrastructure and business processes. Laptops used for such audits may have included maps of the exchanges’ infrastructure, disaster recovery plans and audit results, according to the Reuters article.

Credit.com’s Levin slammed the SEC and called for legislation that would set prison time for people who put infrastructure in jeopardy, stressing that such information could be used to dismantle the systems that Americans rely on for their way of life.

“If hackers ever managed to steal one of these laptops or gain unauthorised access to the data contained on the hard drives, they not only could have shut down America’s largest stock exchanges, they also could have thwarted emergency efforts to bring those exchange systems back online, perhaps indefinitely,” he said.

Do you know all about UK tech leader ARM Holdings? Take our quiz!

Originally published on eWeek.