SEC reveals that data breach may have enabled insider trading

21 Sep 2017

US Securities and Exchange Commission, Washington DC. Image: Mark Van Scyoc/Shutterstock

The US Securities and Exchange Commission’s EDGAR filing system was hacked in 2016.

The US Securities and Exchange Commission (SEC) said yesterday (20 September) that its corporate database had been infiltrated in 2016, but only in August 2017 was it discovered that those responsible may have used their ill-gotten information to dabble in some insider trading.

The market regulator’s filing system in question, EDGAR, had information on everything from statements on the latest mergers and acquisitions, to quarterly earnings. It was described by Bloomberg as something of a “virtual treasure trove”.

‘Malicious attacks and intrusion efforts are continuous and evolving and, in certain cases, they have been successful at the most robust institutions and at the SEC itself. Cybersecurity efforts must include – in addition to assessment – prevention and mitigation, resilience, and recovery’
– JAY CLAYTON

A software vulnerability

Chair of the SEC, Jay Clayton, wrote: “Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.”

He was assured in his belief that there was no personal data exposed in the breach.

“We believe the intrusion did not result in unauthorised access to personally identifiable information, jeopardise the operations of the commission or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.”

The statement from Clayton also mentioned that some SEC laptops that could have stored private data were unable to be located during an internal review of the body in 2014.

Profits for hackers?

Although the problem was almost immediately patched in 2016, it’s noteworthy that the regulator only became aware that the glitch could have provided the basis for “illicit gains through trading” last month.

Questions are being raised in the public sphere about the true level of security in these historically trusted institutions.

According to Reuters, the SEC in particular had previously been pulled up by the US government accountability office for failing to implement an intrusion-detection system properly, and making mistakes regarding things as basic as firewall configuration.

Clayton concluded: “I recognise that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important. Malicious attacks and intrusion efforts are continuous and evolving and, in certain cases, they have been successful at the most robust institutions and at the SEC itself.

“Cybersecurity efforts must include – in addition to assessment – prevention and mitigation, resilience, and recovery.”

US Securities and Exchange Commission, Washington DC. Image: Mark Van Scyoc/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com