A major computer hack at America’s top stock market regulator is the latest sign that data stored in the highest reaches of the U.S. government remains vulnerable to cyber attacks, despite efforts across multiple presidencies to limit high-profile breaches that are so frequent many consider them routine.
In recent years, nation-state and criminal hackers, as well as rogue employees, have stolen data from the Internal Revenue Service, the State Department and intelligence agencies, including millions of government employee files allegedly exfiltrated by the Chinese military, U.S. officials say.
The Sec urities and Exchange Commission ( SEC ), America’s chief stock market regulator, said on Wednesday that cyber criminals may have used data stolen last year to make money in the stock market, making it the latest federal agency to grab headlines for losing control of its data.
At the same time, being only the latest major breach is not special, said Dan Guido, chief executive of Trail of Bits, which does cyber sec urity consulting for the U.S. government.
“It simply reflects the status quo of our digital sec urity,” said Guido, who is a former member of the cyber sec urity team at the Federal Reserve, America’s central bank.
Central bank officials have detected dozens of cases of cyber breaches, including several in 2012 that were described internally as “espionage.”
The U.S. federal government has sharply increased funding dedicated to protecting its own digital systems over the last several years, attempting to counter what is widely viewed as a worsening national sec urity liability.
But as one of the world’s largest collectors of sensitive information, America’s federal government is a major target for hackers from both the private sec tor and foreign governments.
“When you have one central repository for all this information – man, that’s a target,” said Republican Representative Bill Huizenga, chairman of the House subcommittee on Capital Markets, Sec urities, and Investment, which oversees the SEC .
Last year, U.S. federal, state and local government agencies ranked in last place in cyber sec urity when compared against 17 major private industries, including transportation, retail and healthcare, according to benchmarking firm Sec urityScorecard.
An update of the rankings in August showed the U.S. government had improved to third worst, ahead of only telecommunications and education.
“We also must recognize – in both the public and private sec tors, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery,” said SEC Chairman Jay Clayton.
The federal government audits cyber sec urity measures every year at top agencies, producing reports that routinely expose shortfalls and sometimes major breaches. The Federal Bureau of Investigation also looks for hacking attempts and helped spot an alleged intrusion by Chinese military-backed hackers into a major banking regulator between 2010 and 2013.
Weekly scans of government systems by the Department of Homeland Sec urity showed in January that the SEC had critical cyber sec urity weaknesses but that vulnerabilities were worse at three agencies, including the Environmental Protection Agency, the Department of Health and Human Services and the General Services Administration.
Some agencies said they had improved their cyber sec urity posture since that report.
For more about cybersecurity, see Fortune’s video:
A GSA spokeswoman said the agency has not had any critical vulnerabilities in the past six months, and that the ones identified in January were patched in under 10 days.
A Department of Labor spokesman said all identified vulnerabilities had been fixed and that its systems were not compromised by the identified flaws.
But, he added, “addressing vulnerabilities associated with legacy systems can be challenging.”