The commission says that “illicit gain through trading” may have been the key motivator.
The US Securities and Exchange Commission has admitted to being hacked in 2016, with illegal trading potentially at the root of the breach.
On Wednesday, SEC Chairman Jay Clayton said one of the financial regulator’s databases, containing corporate announcements, was compromised and may have been used to gain an advantage in stock trading.
By specifically targeting this system, the threat actors may have gained access to information which had the power to change the market, which in turn could be used to trade illicitly thanks to the stolen, “insider” information contained therein, whether they were company financial statements or merger announcements.
In a statement, SEC said the Edgar filing system data breach took place in 2016, but it is not yet known which companies may have been affected — or how much the hacker profited.
Edgar processes roughly 1.7 million electronic filings per year.
The hacker was able to take advantage of a “software vulnerability in the test filing component” of Edgar, which “resulted in access to nonpublic information.”
Once discovered, the problem was immediately patched, and an investigation has now begun into the data breach.
Clayton said the review of the incident is ongoing with help from “appropriate authorities,” but it is not so far believed that the hack went any further and compromised any other SEC systems.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said. “We must be vigilant. We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
The breach was discovered as part of an audit ordered by the chairman. It was also discovered that staff have used private, unsecured email accounts to transfer confidential information.
SEC’s disclosure comes only two weeks after Equifax disclosed a severe data breach, resulting in private and sensitive data belonging to 143 million US consumers, as well as roughly 400,000 UK customers, being compromised.
US names, social security numbers, dates of birth, and home address were exposed and may have been stolen, but Equifax says UK client data leaked only included customer names, dates of birth, email addresses, and telephone numbers.
Equifax then blamed an Apache Struts security hole for the incident. While it is possible that a zero-day bug was to blame, it appears more likely that a patching oversight or lazy updating was to blame.