[Infowarrior] - SEC ignored years of warnings about cybersecurity before massive breach

[Richard Forno]

SEC ignored years of warnings about cybersecurity before massive breach

By Renae Merle October 24 at 2:00 PM

For years before the Securities and Exchange Commission suffered a massive breach last year, federal watchdogs had warned the agency to encrypt the sensitive financial data stored in its networks.

The Government Accountability Office delivered the admonition most recently in July, a month before the SEC’s leadership learned of the 2016 hack. But the agency’s advice to the SEC on this issue dates to at least 2008, when the GAO said the SEC’s lack of encryption would make it easier for attackers to gain access to sensitive information.

The SEC declined to say whether the lack of encryption made it easier for hackers to gain access to sensitive filings. But encryption technology is widely used across corporate America and on consumer products such as smartphones and laptop computers. Without it, cybersecurity experts say, hackers can immediately read and use the data they steal. While it does not prevent all types of data theft, it can limit the seriousness of the loss in many cases, they say.

“There isn’t really any excuse for organizations that hold deeply sensitive data not to be using disk encryption,” said Peter Eckersley, chief computer scientist for the Electronic Frontier Foundation, a civil liberties group. “The tools for doing so are mature, fairly easy to use and free.”

< - >

https://www.washingtonpost.com/business/economy/sec-ignored-years-of-warnings-about-cybersecurity-before-massive-breach/2017/10/24/7e7507d0-adf7-11e7-be94-fabb0f1e9ffb_story.html