CFTC Data Breach Risks Employees’ Social Security Numbers

The U.S. Commodity Futures Trading Commission suffered a data breach in May, putting at risk Social Security numbers and personal information of employees of the country’s top derivatives regulator.

A CFTC employee received a “phishing” e-mail on May 21 and input information to a fraudulent website, according to a copy of an e-mail sent to agency employees that described the incident. A third-party was then able to illegally enter the employee’s account, which had access to personnel information, according to the agency’s description of the incident.

“The e-mail account contained e-mails and attachments with the names, Social Security numbers and possibly other sensitive personally identifiable information of certain individuals,” according to the e-mail description. The CFTC has about 700 employees and regulates U.S. futures and swaps markets.

The e-mail description was confirmed last week by CFTC spokesman Steve Adamske. “The CFTC believes at this time that the data breach is contained to employee information and does not compromise any trading or market data. Law enforcement has been contacted and we will work with them as appropriate,” John Rogers, chief information officer at the CFTC, said in an e-mail statement on June 22.

The agency told employees that it would be implementing additional security controls for CFTC computer systems and increasing training for staff, including those who handle personal information. The CFTC arranged for employees to receive identity protection from a credit-monitoring company.

The agency is writing regulations required under the 2010 Dodd-Frank Act that will govern trading by JPMorgan Chase & Co. (JPM), Goldman Sachs Group Inc. (GS) and other companies in the $648 trillion global swaps market.

To contact the reporter on this story: Silla Brush in Washington at

To contact the editor responsible for this story: Maura Reynolds at

Press spacebar to pause and continue. Press esc to stop.

Bloomberg reserves the right to remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.