SEC hacked, intruders may have profited
Data from U.S. federal agency breached in system vulnerability
The U.S. federal agency responsible for ensuring that markets function as they should and for protecting investors was hacked last year and the intruders may have used the nonpublic information they obtained to profit illegally.
The disclosure arrived two months after a government watchdog said deficiencies in the computer systems of the U.S. Securities and Exchange Commission (SEC) put the system at risk.
In July, the U.S. Government Accountability Office issued a critical report about the security measures employed by the SEC, citing a number of deficiencies in “the effectiveness of SEC’s controls for protecting the confidentiality, integrity, and availability of its information systems.” It issued 26 recommendations to make SEC systems more secure.
According to the SEC, the breach was discovered last year, but the possibility of illicit trading was uncovered only last month. It did not explain why the hack itself was not revealed sooner, or which individuals or companies may have been impacted.
The SEC says the breach was discovered last year, but the possibility of illicit trading was only discovered last month
In a prepared statement, SEC chairman Jay Clayton said a review of the agency’s cybersecurity risk profile determined that the previously detected incident was caused by “a software vulnerability” in its filing system known as EDGAR. Clayton said SEC has been conducting an assessment of its cybersecurity since he took over as chairman in May.
The SEC has had other issues with EDGAR, including people posting phoney takeover offers and other hoaxes on the system that have temporarily driven up companies’ share prices. A number of filings are immediately posted on EDGAR when they are submitted to the database, so it’s unclear what kind of information is kept non-public that could be a target for hackers. Clayton also added the agency’s review of the breach is ongoing and that it’s “co-ordinating with the appropriate authorities.”
The SEC files financial market disclosure documents through its EDGAR system, which processes more than 1.7 million electronic filings in any given year. Those documents can cause enormous movements in the market, sending billions of dollars in motion in fractions of a second.
The revelation from the agency comes as Americans and Canadians grapple with the repercussions of a massive hack at the credit agency Equifax, which exposed highly sensitive personal information of 143 million people. Clayton said the agency’s breach did not result in exposing personally identifiable information.
The data stolen from Equifax included social security numbers, drivers license information and birth dates. Banks rely on the information that Equifax and other creditreporting companies provide in determining whether consumers should get loans.
The SEC hasn’t said whether it is investigating the hack at Equifax, but the agency for years has leaned on publicly traded corporations to strengthen their own cybersecurity systems.
An investigation into the breach and its possible consequences is ongoing, and the SEC said that it is co-operating with the “appropriate authorities.” With files from Bloomberg