SEC Reveals 2016 Data Breach
The U.S. Securities and Exchange Commission (SEC) has revealed they were hacked in 2016, and said illegal trading could have been the motivation for the breach.
SEC Chairman Jay Clayton said the database that contained corporate announcements had been compromised, and the information contained therein may have been used to make more advantageous stock trades.
“In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading,” Clayton said in a statement. “Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”
While personal information was not accessed in the breach, the stolen documents could have allowed the hackers to trade illicitly with “insider” information, which would allow them to affect the market.
The SEC discovered the breach after Clayton ordered an audit of SEC systems. They immediately patched their system and reported the incident to the “appropriate authorities.”
The SEC’s EDGAR system processes about 1.7 million electronic filings each year. The organization is unsure which companies may have been affected by the breach or how much the criminals may have profited from their activities.
During the audit, the investigators also discovered that laptops containing nonpublic information had been lost and that personnel were using their personal, non-secure email accounts to share nonpublic regulatory information.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” said Clayton. “We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
Clayton has also said the SEC plans to hire more cybersecurity experts in the wake of these findings.