It all happened when the former SEC employee thought it would be a good idea to download some SEC templates that could be of use at his new job. By doing so, he also accidentally downloaded onto the thumb drive the names, birth dates and Social Security numbers of past and present agency employees.
Once settled in his new job, he uploaded both the templates and the employee data onto his new employer's systems, and repeated the action a few months after because he couldn't locate the documents he uploaded the first time.
It's interesting to note that neither the new employer nor the old one found anything amiss for months after the "breach". It took a random security scan some 10 months later to discover it.
According to the notification letter received by the affected employees, the SEC has seized the thumb drive in question, and all the aforementioned data will be deleted from the other agencies' networks. Just in case, they will receive a free credit monitoring for a year.
As limited and negligible this incident might seem at first glance, it shows that the SEC - and people in the know say other government agencies as well - are really bad at keeping track who's accessing data.
This is also not the first incident of this kind at the SEC, and two recent internal audits showed that the agency is pretty careless when it comes to disabling accounts of staff that left the agency (whether for another one or for an organization in the private sector), and that it allowed employee access to sensitive information from non-government computers.
Given that the SEC works with sensitive financial information that can be easily misused, this should be a wake up call for them to start using data loss/leak prevention solutions.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.