SEC report shows data centre mismanagement may have allowed hack
Tue 3 Oct 2017
The U.S. Securities and Exchange Commission (SEC) has released a report finding that it mismanaged its data centres in 2008, which may be connected to the 2016 hack of its EDGAR system.
The SEC-authored report is damning of the organisation’s own behaviour, discovering many instances of poor practices and wasted funds. A full report was not released to the public as it contains private information, but a summary of the findings was published instead.
It begins by noting that in 2008, it paid $162,000 (approx. £122,000) for a contractor-developed plan to relocate the agency’s data centres. However, for an unknown reason, the SEC did not follow the strategy’s recommended processes or timeline to ensure the 2012-2013 data centre relocations were properly executed.
The Commission has stated that it does not know why this was the case because the current officials responsible for the SEC data centres were not aware of the relocation plan: ‘Many key officials responsible for the data centre relocations no longer work at the SEC and contract files were incomplete.’
The report goes on to explain how this failure to follow the contractor’s relocation plan has resulted in wasted funds and potential data centre vulnerabilities. It found that the agency derived little, if any, benefit from the 2008 data centre plan, meaning that the $162,000 it spent was wasted.
Referring to the two data centres it relocated to in 2012/2013 as D1 and D2, it notes that the D1 data centre may have suffered ‘certain physical and environmental control vulnerabilities’ from the beginning.
Mitigating these vulnerabilities, the SEC estimates, has cost around $370,000. Perhaps more significantly, it questions whether or not it met the contract requirement of being a Tier III data centre. This is required according to the Telecommunications Industry Association standards.
In terms of the impact of this mismanagement on the EDGAR hack, the report notes that the SEC’s data centres house critical telecommunications, data, and computing resources, including EDGAR—the Electronic Data Gathering, Analysis and Reporting system, for financial reporting in the U.S.
As a result of the audit and ensuing report, the SEC has made ten recommendations. These have not been released in full as they contain private information, but the report does recommend that the SEC conducts comprehensive reviews of the 2012- 2013 data centre relocations to identify lessons learned.
The 2016 hack of the EDGAR system, according to the SEC, may have allowed insider trading by the hackers, given that they would have been able to view not yet released business information. However, it has recently been reported that it may also have released a small amount of private personal information.