The US Securities and Exchange Commission, whose corporate-filing database EDGAR was hacked last year, mismanaged a data center move in the 2012-2013 timeframe, “thereby exposing SEC data to vulnerabilities,” an audit by the commission’s inspector general found.
The summary of the audit’s conclusions released last week does not indicate that the poorly handled relocation project led to the security breach disclosed last week, in which officials suspect hackers may have used unlawfully obtained corporate data to game the stock market.
The SEC was expected to use a relocation plan developed by a contractor for a $162,000 fee, but it did not follow the steps that were recommended, which, according to the summary, meant the fee was wasted. The recommended steps were meant to ensure the move would be properly executed and that the two data center providers whose facilities the servers were moved into met the agency’s needs.
The summary did not name the contractors, referring to them only as D1 and D2.
It was also unclear whether the audit had found any specific network-security vulnerabilities. The vulnerabilities referred to in the one-page summary are “certain physical and environmental control vulnerabilities” in the D1 data center. They did cause disruption to SEC operations and increased costs, the report said.
The audit also found that the agency’s data center contract management practices were lacking. Its representatives didn’t validate all invoices and kept incomplete files. “Further, D1 monthly power consumption reports were unusable and the SEC did not timely or adequately address known vulnerabilities at the D1 data center, or effectively assess physical and environmental controls at either data center.”
As a result of poor contract management, the SEC overpaid nearly $220,000 to the D2 data center provider (who has already refunded the money), and $2.8 million “in unsupported costs” went to D1.