11/09/2012 06:22 pm ET Updated Jan 10, 2013

SEC Employees Used Government Computers For Personal Use, Music Downloads: Report

By Sarah N. Lynch

WASHINGTON (Reuters) - Several U.S. Securities and Exchange Commission staffers responsible for monitoring the markets and exchanges broadly misused computer equipment to download music and failed to properly safeguard sensitive information, a report has found.

In a 43-page investigative report that probed the misuse of government resources, SEC Interim Inspector General Jon Rymer discovered that an office within the SEC's Trading and Markets division spent over $1 million on unnecessary technology.

The report also found that the staffers failed to protect their computers and devices from hackers, even as they were urging exchanges and clearing agencies to do just that.

Although no breaches occurred, the staffers left sensitive stock exchange data exposed to potential cyber attacks because they failed to encrypt the devices or even install basic virus protection programs.

Reuters first reported on the unencrypted computers on Thursday, citing people familiar with the matter.

On Friday, however, Reuters reviewed a copy of the full report, which details an even broader array of problems, from misleading the SEC about the office's need to buy Apple Inc products, to cases in which staffers took iPads and laptops home and used them primarily for pursuits such as personal banking, surfing the Web and downloading music and movies.

The report says the staff may have brought the unprotected laptops to a Black Hat convention where hacking experts discuss the latest trends. They also used them to tap into public wireless networks and brought the devices along with them during exchange inspections.

In at least one case, a staffer admitted to using his personal e-mail to send his work e-mail sensitive data about the Depository Trust & Clearing Corp, the U.S. equities market's clearing agency. When asked about this, he called it "a mistake" and "bad judgment" on his part.

"While they were using unencrypted laptops themselves, they were recommending to the (exchanges and clearing agencies) that they encrypt their laptops," Rymer wrote in his report, which is dated August 30.

"The inspector general found that four staff members had used unencrypted laptop computers in violation of SEC policy," SEC spokesman John Nester said.

"Although we found no evidence that data was compromised, the problem was fixed and the two staffers responsible for maintaining and configuring the equipment are no longer with the agency."

Rymer's report comes as the SEC is encouraging companies to get more serious about cyber attacks. Last year, the agency issued guidance that public companies should follow in determining when to report breaches to investors.

The office that was the subject of Rymer's investigation is responsible for ensuring exchanges are following a series of voluntary guidelines known as "Automation Review Policies," or ARPs.

These policies call for exchanges to establish programs concerning computer audits, security and capacity. They are, in essence, a road map of the capital markets' infrastructure.

Rymer found that the office did not have any planning or oversight into its purchases of computer equipment. From 2006 through 2010, the office got permission to spend $1.8 million on technology devices.

The report also found that some people who worked in the office had little or no experience with exchange technical matters.

(Reporting By Sarah N. Lynch; Editing by Matthew Goldstein and Andre Grenon)