The US Securities and Exchange Commission late yesterday said that its EDGAR system, which companies use to file documents required by Federal law and regulation, had been compromised by a "threat actor." That in itself isn't new—the SEC had detected the intrusion last year. What is new is the discovery that the hackers accessed data they appear to have used in illicit trading. It's not yet know how large that trading was, but it could represent a very significant incident.
The SEC's disclosure was made in a long statement about the Commission's cyber risk assessment and its further implementation of the NIST Framework.
UpGuard discovered sensitive sensitive information belonging to Viacom (including keys that could have enabled exploitation of the company's infrastructure as a platform for other attacks). Viacom seems to have dodged a bullet, as observers say—the responsible disclosure enabled them to fix the cloud exposure before serious damage was done.
Equifax continues to struggle with incident response. The company for an uncomfortably long period was directing inquirers about the breach to a bogus phishing site. The one lesson all should learn from Equifax's travails is the importance of incident planning (and the exercise of those plans).
The supply chain problems that backdoored an Avast product increasingly look like the work of a state espionage agency.
The US Department of Homeland Security has clarified and qualified its ban on Kaspersky. Kaspersky software embedded in other vendors' products is not banned, nor are Kaspersky intelligence and training services.