SEC Fines ICE For $10 Million for a Delayed VPN Breach Report

Reading time icon 2 min. read


Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

SEC Fines ICE For $10 Million for a Delayed VPN Breach Report

In a surprise development, the Intercontinental Exchange (ICE), an important player in finance and owner of major financial platforms such as the New York Stock Exchange, has agreed to pay a large sum of $10 million for settling charges with U.S. Securities and Exchange Commission (SEC). The penalty is related to a Virtual Private Network (VPN) security breach that happened in April 2021 which ICE did not report on time as per Regulation Systems Compliance and Integrity (Regulation SCI) by SEC.

So, let’s break this down a bit, shall we?

Picture you are working in one big company that basically controls everything happening within financial markets. Suddenly, boom – it gets hit by a cyberattack. The initial thought would be to ring up SEC first for help? So, it seems ICE didn’t rush to evaluate the breach’s effect.

They took four days for that and internally decided it was not a major problem. Here comes the interesting part: SEC learned about this breach from another person during their investigation of similar incidents. This is quite an unexpected development!

The breach itself had great significance. It was found through a third party who informed ICE about possible unauthorized access connected to a weakness in its VPN. This was not an ordinary hacker though. Sophisticated threat actors, believed to be nation-state participants, were able to put harmful code on the affected VPN gadget. They wanted the gold: employee names, passwords, and multi-factor authentication codes. The scary thing? If they got this data, it could have been like a backstage pass to ICE’s inner corporate networks.

But now, we come to the more technical part. Even with the breach, ICE’s team responsible for security was successful in controlling harm to just one affected VPN device. Yet, they made an error by not immediately informing legal and compliance officials at the company’s affiliates – this is not allowed as per Reg SCI rules and ICE’s cyber incident reporting process.

Finally, ICE and its parts decided to agree with the order of SEC. They accepted the facts about notification mistakes but did not openly admit or deny these findings. Alongside the penalty of $10 million, they also accepted a cease-and-desist order to halt any more violations related to Reg SCI rules.

User forum

0 messages