Staff data leaks out of the SEC

A serious data breach at the Securities and Exchange Commission transferred personal data about current and former employees into the computer system of another federal agency, a letter sent by the SEC to staff reveals.

The July 8 letter, obtained by The Hill, is from Thomas Bayer, the SEC’s chief information officer and senior agency official on privacy. It warned that personal employee data had been discovered on the networks of another, unnamed federal agency.

ADVERTISEMENT

It said a former SEC employee “inadvertently and unknowingly” downloaded the names, birthdates and Social Security numbers of employees onto a thumb drive, and then transferred them to the other agency.

The SEC did not learn of the breach until 10 months after the data was uploaded at the new agency, the SEC said.

“We deeply regret this occurrence and apologize for any inconvenience this incident may cause,” Bayer wrote. “Please be assured that the SEC is committed to protecting the information with which we are entrusted.”

It is unclear how many employees’ personal information was exposed, though the SEC said the breach applied to employees who worked for the agency before October 2009.

An SEC spokesman confirmed the contents of the letter, adding that people affected would be offered a free year of credit monitoring.

He declined further comment, including about whether an investigation by the SEC’s inspector general (IG) and the inspector general at the federal agency that received the information was complete.

While the SEC’s letter said there was no evidence data ended up in the wrong hands, some former employees say the incident underlines problems with the way the agency handles sensitive staff information.

“What if he’d gone to the private sector? What if he’d dropped that thumb drive somewhere, with mine, and I’m assuming quite a few other people’s, personal information?” said Hester Peirce, a former staff attorney at the SEC who was told her personal data was compromised.

“Human error is something we really have to worry about,” said Peirce, who argued that the same problems at the SEC could be duplicated across the government. Peirce’s op-ed on the breach can be read on The Hill’s Congress Blog.

Individuals were informed of the data breach just a few months after the SEC’s inspector general recommended the agency take extra steps to secure its sensitive, nonpublic information.

In two separate routine audits, the SEC watchdog determined that the agency could do more to protect the confidential information it receives from financial institutions.

One audit, analyzing how the SEC shares sensitive information with other regulators, found that agency staff had access to nonpublic information on nongovernment computers remotely via Web-based email, opening the door to unauthorized access.

The second audit found the SEC was not disabling all accounts for staff who had left the agency, exposing the SEC to “a higher risk for malicious acts.”

SEC officials promised to implement the IG’s recommendations to improve data security after both audits.

It only learned of the breach during an unrelated security scan, according to the letter.

It said the former employee downloaded “templates” from the SEC to help him in his new job and unknowingly downloaded the personal data in the process. He then uploaded that sensitive information to the new agency network twice — once when he began working there in April 2012, and again in June when he could not find his original upload.

The SEC confiscated the employee’s thumb drive, and the data, now quarantined, will be permanently removed from the recipient agency’s network, the letter said.

 Data security experts said leaks are not uncommon in the public or private sectors.

“Government and private industry have, generally speaking, a very difficult time keeping track of data,” said Jacob Olcott, a principal at the cybersecurity firm Good Harbor.

“It’s very possible that the guy stuck his USB into his own personal computer. You have no idea,” he added. “I’m sure that the SEC technology staff is looking at some of the technologies that could prevent this kind of thing from happening in the future.”

Alan Paller, research director at the SANS Institute, which specializes in cybersecurity, said he generally thinks the SEC has “excellent security.”

But at the same time, he questioned how the SEC was unable to keep track of who had access to the sensitive data.

“Why didn’t the SEC know that the data was on that guy’s computer?” he said. “You could ask that question. Why did the agency that the person went to have to find it?”

This is not the first time the SEC has faced leaks of employee data.

In 2011, the agency warned staffers that their personal brokerage account information might have been compromised, after discovering security flaws with an outside contractor.

To combat concerns about possible insider trading by agency employees, the SEC hired an outside contractor to manage a computer program to monitor staffer trades and improperly provided private information to a subcontractor, according to Reuters. No data was believed to have been misused in that event either.

Fellow financial regulators have also faced similar challenges. The Commodity Futures Trading Commission (CFTC) faced its own data breach in 2012 after a CFTC employee fell for a “phishing” email scam, giving a third-party access to personnel information, according to Bloomberg.