This article is part of the series

Charlie Breaks It

SEC Staffers Took Laptops With Critical Market Info to Hacker Conference

By Charlie Breaks ItFOXBusiness

When staffers at the Securities and Exchange Commission aren’t looking at porn, they’re attending conferences for computer hackers with unsecured laptops that contain the blueprints for the entire U.S. capital markets, the FOX Business Network has learned.

That’s the charge being levied at Wall Street's top cop by officials at both major stock exchanges who were recently alerted that the SEC’s inspector general had conducted an investigation showing that commission staffers took laptops with access to the exchange computer systems to several unsecured locations in recent years, including a computer hacker conference known as the “Black Hat Convention.”

Continue Reading Below

“Everything was on those laptops,” said one exchange official who spoke on the condition of anonymity. “You could find the system architecture and technology maps of both the New York Stock Exchange and the Nasdaq, information about their key data centers, their emergency plans. It’s virtually everything you need to know if you were a terrorist looking to sabotage the U.S. capital markets.”

An SEC spokesman confirmed that the security breach did occur but said the SEC has found “no evidence” that information ended up in the wrong hands.

"The Inspector general found that four staff members had used unencrypted laptop computers in violation of SEC policy,” said SEC spokesman Jon Nester. “Although we found no evidence that data was compromised, the problem was fixed and the two staffers responsible for maintaining and configuring the equipment are no longer with the agency."

But stock exchange officials, particularly at the NYSE, aren’t so certain and they’ve asked the SEC for more information about its examination to determine if the SEC review was thorough enough to ensure that its systems are safe. The NYSE  has hired a high-profile attorney, Michael Chertoff, former head of the US Department of Homeland Security during the Bush Administration, to press its case with the commission.

“The important thing for us is to know exactly what the risks are” of a security breach, Chertoff told FOX Business. “They say that they see no evidence of data being compromised but let me remind you that the people who are good at intruding computer systems generally don’t leave fingerprints.”

Chertoff said the SEC has yet to provide the stock exchange with the information it has requested.

Even if damage to the exchanges has been averted, the SEC is facing yet another embarrassing episode of staffers acting inappropriately. In 2010, the SEC inspector general found that staffers were downloading thousands of images of pornography, much of it during the financial crisis when the agency was accused of failing to clamp down on excessive risk taking by banks, and the Bernie Madoff Ponzi scheme.

In the case involving the US stock markets, staffers from the SEC’s Division and Trading and Markets—which monitors the stock markets--took computers out of the commission’s secured locations over a period of several years, the IG’s report said. The computers were “taken home by (SEC) employees and used for personal purposes,” the report said. “The (Office of Inspector General) found evidence that unprotected laptops were left unattended in hotel rooms and offices outside the SEC.”

One such unsecure location, according to a person with knowledge of the SEC’s probe, included a hacker convention, where clearly identified SEC staffers were present. The SEC staffers worked for the exchange in a technical capacity, and were apparently approved to attend the conference known as the “Black Hat hacker convention.” They were not approved to attend with the laptops, though their actions went unnoticed by the SEC until a whistleblower complaint,  people with knowledge of the matter say.

One addition problem for the NYSE: SEC officials kept mum about the issue until early October—even though the commission knew as early as last March about the potential security problems. “What’s so outrageous about this is that no one at the SEC notified the potential victims that they may have a security issue until recently,” said one exchange official.