The U.S. Securities and Exchange Commission allegedly violated federal privacy law when it inadvertently leaked the personal data of crypto miners, making them vulnerable to targeted and phishing attacks.
The data leak exposed 650 personal crypto miners’ data, including their emails, according to a report by the Washington Examiner.
The supposed leak took place when the SEC was investigating Green, a blockchain project centered on building a decentralized power grid whose user base consisted of crypto miners or node operators.
The financial regulator allegedly leaked 650 names and email addresses of Green’s user base when it listed them in the carbon copy (CC) field of the email instead of the blind carbon copy field (BCC). The action led to the exposure of these names and email addresses to recipients of the email.
The report said the leak has a “detrimental effect” since the exposed information “is more than enough” to identify the users and be subjected to potential hacks in their nodes or computer that they use to mine Green tokens.
If the leak did take place, it could be a privacy concern and could subject the exposed email addresses to targeted and phishing scams. The report said the accidental SEC leak violated privacy law and cited the explanation of the Privacy Act of 1974 on the financial regulator’s website.
“The Privacy Act of 1974, as amended (5 U.S.C. § 552a), prohibits the disclosure without consent of information about individuals that the federal government maintains in a system of records. Agencies are required to give the public notice of their systems of records by publication in the Federal Register,” the website stated.
The Privacy Act also safeguards personal information stored by financial regulators to protect consumers.
“If we store information about you in a system of records from which we retrieve that information by personal identifier (e.g., name, personal email address, home mailing address, personal or mobile phone number, etc.),” the SEC said.
“The SEC adheres to Privacy Act requirements with respect to all information about individuals that it collects, maintains, uses, or disseminates in a System of Records, regardless of whether the information pertains to a U.S. Citizen, lawful permanent resident, or a non-U.S. Citizen,” it stated.
“However, the rights to seek access to and amendment of covered records, and to bring suit for alleged violations of the Privacy Act, only extend to U.S. citizens and legal permanent residents and citizens of designated foreign countries or regional economic organizations,” the financial regulator added.
International Business Times reached out to the SEC outside of office hours to get its official statement and will update this story as soon as we hear from them.