* Chertoff tapped by NYSE following SEC computer incident
* SEC computers with sensitive data left unencrypted
* NYSE concerned about its data on those devices
By Sarah N. Lynch
WASHINGTON, Nov 16 (Reuters) - NYSE Euronext hired former Homeland Security Secretary Michael Chertoff to make sure sensitive exchange data was not breached after U.S. securities regulators left their computers unencrypted, according to a person familiar with the matter.
The computers, iPads, and other Apple devices belonged to employees in an office within the Securities and Exchange Commission’s Trading and Markets Division that is responsible for making sure exchanges protect themselves from cyber threats.
The security lapses were detailed in a non-public Aug. 30 report by Interim Inspector General Jon Rymer that Reuters wrote about earlier this month.
According to the SEC, no breach of data occurred, the problem has been fixed, and two of the staffers responsible for the vulnerabilities have left the agency.
But NYSE Euronext, operator of the New York Stock Exchange, is not convinced that the SEC thoroughly investigated the issue, this person said.
In early October, when the SEC first notified the exchange about the issue, the NYSE hired Chertoff, now an attorney at Covington & Burling, to look into the matter.
The New York Stock Exchange is the victim of “a gross mishandling of data that would get an F from any security official,” said this person, who spoke on the condition of anonymity.
A New York Stock Exchange spokesman confirmed it had hired Chertoff. A spokesman for the SEC had no immediate comment.
The SEC’s Office of Inspector General started its investigation in January of 2011 after an anonymous complaint.
Its report said SEC staffers failed to install basic virus protection on computers and various Apple devices, let alone encrypt them.
One employee acknowledged the laptops had “vulnerability assessments and maps and networking diagrams of how to hack into the exchanges.”
The report said the SEC staffers may have brought the devices to a Black Hat Convention, where hacking experts convene to discuss cyber security trends. The report does not say why they attended the convention.
The staffers also used the devices to tap into wireless networks in hotels, to download music and movies and for personal banking, the report said.
In at least one case, a staffer admitted to using his personal e-mail to send sensitive data to his SEC e-mail account about the Depository Trust & Clearing Corp, the U.S. equities market’s clearing agency, the inspector general’s report said.
The SEC spent nearly $350,000 to hire an outside forensics team to test some of the laptops to be sure they had not been hacked, according to Rymer’s report. It also strengthened its internal policies to protect non-public data.
The NYSE, however, has reason to believe there were other unsecured devices containing exchange data which are only now being reviewed, well after the outside forensics firm Stroz Friedberg completed its independent analysis, the person familiar with the matter said.
The inspector general’s report states that while there were 28 laptops in question, the outside firm conducted forensic testing on “several select laptops” to determine if a breach occurred.
The NYSE is concerned the review was not broad enough and did not cover all of the affected devices, the person said.
It has been promised, but still has not seen, a copy of Stroz Friedberg’s report, according to the source. A representative of Stroz Friedberg was not immediately available for comment.
Moreover, this person said, the exchange operator is upset that the SEC knew about this problem for months, but only told the exchange in early October.
The issue could require corrective steps on NYSE’s part, and because it is a publicly traded company, it is subject to certain disclosure obligations mandated by the SEC.
Last year, the SEC released guidance that encouraged public companies to disclose cyber threats to investors. The issue has become more pressing after a series of high-profile companies such as Lockheed Martin Corp and Bank of America Corp fell prey to hackers.
The SEC office where the security problems occurred is responsible for making sure exchanges and clearing agencies follow a series of voluntary guidelines known as “Automation Review Policies,” or ARPs.
Under the ARPs, exchanges must provide highly secure information to the SEC such as architectural maps, systems recovery and business continuity planning details in the event of a disaster or other major event.