U.S. Securities and Exchange Commission (SEC) chairman Jay Clayton recently announced that a software vulnerability in its Electronic Data Gathering, Analysis and Retrieval (EDGAR) system “was exploited and resulted in access to nonpublic information” in 2016.
While the breach doesn’t appear to have resulted in unauthorized access to personally identifiable information, Clayton said, it “may have provided the basis for illicit gain through trading.”
The breach was discovered last year, but it wasn’t until August of 2017 that the Commission determined the data may have been used for illegal trading on insider information.
Leveraging Stolen Data
AsTech Consulting chief security strategist Nathan Wenzler said by email that the breach should serve as a reminder that hackers aren’t just looking for sensitive data to sell to others. “Many of them are looking for specific types of information which they can leverage as an advantage in business deals, stock trades, investments and other financial activities for huge profits,” he said.
Wenzler said these types of attacks will inevitably continue, with cybercriminals using stolen data in increasingly sophisticated ways. “It’s imperative that monitoring and detection for the inappropriate use of this kind of data be a standard layer of defense for organizations right alongside patching vulnerabilities, encrypting data and enforcing strong access controls,” he said.
Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies, suggested by email that the SEC hackers may well have been inspired by the 2015 breach of Business Wire, PR Newswire and Marketwired, when hackers made more than $100 million by trading on nonpublic information stolen from newswire services. “Protecting information that will be made public but has to remain private for some period of time is very difficult to govern,” he said.
In order to do so, Gumbs said, a company’s data governance program has to be capable of classifying information as private and only allowing proper access to it, but then adjusting to make the same information public and update access rights appropriately. “This is not an area most organizations have shown competence in, and for any publicly traded company it is an area that they must be proficient in — but until then, expect this will not be the last such insider trading hack,” he said.
Jason Hart, vice president and CTO for data protection at Gemalto, said by email that stopping breaches like these is an unrealistic goal. “A better starting point is for organizations to truly know what they are trying to protect and then putting the right safeguards like encryption in place,” he said. “Of the 1.9 billion data records compromised worldwide in the first half of 2017, less than 1 percent used encryption to render the information useless.”
According to Gemalto’s Breach Level Index for the first half of 2017, the proportion of stolen, lost or compromised data that was protected by encryption dropped by 4 percent compared to the last six months of 2016.
The first half of 2017 also saw a 164 percent increase in stolen, lost or compromised records — over 10 million records were compromised or exposed every day, or 122 records every second.
In a statement, Hart noted that a recent study by CGI and Oxford Economics using data from the Breach Level Index found that two thirds of firms breached had their share price negatively impacted. “Out of the 65 companies evaluated, the breach cost shareholders over $52.40 billion,” he said.
“We can expect that number to grow significantly, especially as government regulations in the U.S., Europe and elsewhere enact laws to protect the privacy and data of their constituents by associating a monetary value to improperly securing data,” Hart added. “Security is no longer a reactive measure but an expectation from companies and consumers.”