The top securities regulator in the United States said Wednesday night that its computer system had been hacked last year, giving the attackers private information that could have been exploited for trading.
The disclosure, coming on the heels of a data breach at Equifax, the major consumer credit reporting firm, is likely to intensify concerns over potential computer vulnerabilities lurking among pillars of the American financial system.
The Securities and Exchange Commission said in a statement that it was still investigating the breach of its corporate filing system. The system, called Edgar, is used by companies to make legally required filings to the agency. The agency said it learned in August that an incident detected last year “was exploited and resulted in access to nonpublic information.” It said the security vulnerability used in the attack had been patched shortly after it was discovered. The hacking, it said, “may have provided the basis for illicit gain through trading.”
In its statement, the agency did not release further details of the attack, including whether it had resulted in disclosure of any information about particular companies.
The Equifax breach, which focused on a database that contained the personal information of 143 million Americans, focused attention on the vulnerabilities of private companies that handle sensitive personal financial information. The S.E.C. sometimes handles its own sensitive information, including disclosures that companies are allowed to keep away from investors. Such information could give traders an edge. The S.E.C. may have presented a ripe target.
The Government Accountability Office in July released a 27-page report that found deficiencies in the S.E.C.’s information systems that “limited the effectiveness of the S.E.C’s controls for protecting confidentiality, integrity and availability.” It also found that the S.E.C. did not always encrypt information and had failed to fully implement recommendations from the G.A.O. that would help detect intrusion.
In its response, the S.E.C. said it agreed with the recommendations of the report but added that it had implemented a number of its suggestions. The S.E.C.’s new director, Walter J. Clayton, has said the agency would work to improve its cybersecurity protections.
“Information sharing and coordination are essential for regulators to assess potential cyberthreats and respond to a major cyberattack, should one arise,” he said in July in a speech. “We at the S.E.C. are working closely with our fellow financial regulators to improve our ability to receive critical information and alerts and react to cyberthreats.”
If the data stolen from the S.E.C.’s Edgar system was used by hackers to trade in stocks and reap profits, it would represent the latest in a new area of concern for regulators in the United States — an area in which the underbelly of the internet is joining forces with the darker corners of Wall Street.
In 2015, the S.E.C. brought the first insider trading case of its kind against a group of rogue stock traders who used hackers in Ukraine to get nonpublic information about companies. Insider trading refers to buying or selling of a stock by a trader who has inside knowledge that the investing public is not aware of, creating an unfair advantage. Typically, insider trading cases concern corporate insiders who leak information to friends, family or business associates in return for a personal benefit.
In this case, the men were accused of using hackers to break into companies like Business Wire and PR Newswire over a period of five years to steal 150,000 not-yet-public news releases of publicly traded companies. Federal prosecutors alleged that 32 traders and hackers reaped more than $100 million in illegal proceeds in a scheme so brazen that the traders would send shopping lists of corporate news releases for sneak-peeking purposes to the hackers in order to place trades. The agency said it did not believe that the breach had involved personal information or that it would jeopardize the agency’s activities.
“Cybersecurity is critical to the operations of our markets, and the risks are significant and, in many cases, systemic,” said Mr. Clayton, the agency’s chairman, in the statement. “We must be vigilant. We also must recognize — in both the public and private sectors, including the S.E.C. — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
Download SafeUM — communicate privately, without advertising and spam.