The US Security and Exchange Commission has disclosed a hack that exposed financial records for tens of thousands of public companies listed on US stock exchanges.
Sometime in 2016, the hackers exploited a software vulnerability in the test filing component of the SEC's EDGAR system, a vast archive of financial records that it keeps on public companies. The resulting unauthorized data access “may have provided the basis for illicit gain through trading,” SEC Chairman John Clayton said in a statement. “Our Division of Enforcement has investigated and filed cases against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.”
In other words, the bad actors may have used the internal private information that companies report to the SEC regarding earnings and financial performance, IPO plans, product road maps and more—all of which can be used for insider trading. They could also manipulate the market by placing bogus public info into the system.
“Attackers are not just looking for mountains of personal data to sell to other hackers for profit,” said Nathan Wenzler, chief security strategist at AsTech Consulting, via email. “Many of them are looking for specific types of information which they can leverage as an advantage in business deals, stock trades, investments and other financial activities for huge profits. That the SEC did not consider illicit deals could come about because of the data that was stolen from EDGAR and did not aggressively monitor for such activity is a matter which all organizations should take notes on. Cyber criminals will continue to execute more of these kinds of attacks and will utilize the data stolen in more sophisticated ways as time goes on. Understanding all the ways that data can be used by attackers is key to determining the best ways to secure the information and prevent it from being used in compromising ways."
Clayton attempted to play things down: “We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.”
Despite it occurring in 2016, the SEC only first learned about the incident In August 2017, and said that it has now patched the vulnerability. That means the hackers had access to months worth of reporting data.
Obviously, the incident brings up questions around patching management, encrypting data and enforcing strong access controls, especially in light of the Equifax debacle.
“While we await greater detail about what layer and component of the application stack was exploited, it furthers the point that strengthening application security is critical,” said Kunal Anand, CTO and co-founder at Prevoty, via email. “In this case, a vulnerable piece of software was used to exfiltrate sensitive and ephemerally private information. On the heels of the now historical Equifax breach, two burning questions are top of mind: 1) was the vulnerable software component previously known and did EDGAR fail to patch it? and 2) why wasn’t this information encrypted, or was it encrypted and did attackers compromise sensitive keys?"
Brad Keller, senior director of third-party strategy at Prevalent, noted that the incident is a classic example of criminals targeting a system used by numerous companies to get more bang for their buck.
“It’s a simple business proposition—why expand resources to hack into one company’s data base, when through the relatively same level of effort you can gain access to dozens (or in the case of EDGAR tens of thousands) of corporate financial records. While the SEC is not a vendor in the classic sense, the analogy to why criminals target vendors for the higher ‘return on hack’ is very clear."
Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/