SEC says hackers profited from last year’s data storage breach

21 Sep 2017

Wall Street regulator Securities and Exchange Commission (SEC) on Wednesday said hackers last year breached its system for storing documents filed by publicly traded companies, potentially accessing data that allowed the intruders to make illegal profits.

The announcement once again exposes the vulnerability of governments and businesses to cyber attacks, as the SEC's electronic database of market-moving corporate announcements was breached and the regulator admitted the hackers might have profited from the information they stole.

The hack of an aspect of the SEC's Edgar filing system occurred in 2016, the regulator said in a statement. But it wasn't until last month that the agency concluded the cybercriminals involved may have used their bounty to make illicit trades.

Edgar houses millions of filings on corporate disclosures ranging from quarterly earnings to statements on mergers and acquisitions. Infiltrating the SEC's system to review announcements before they are released publicly would serve as a virtual treasure trove for a hacker seeking to make easy money.

The incident was briefly mentioned in an unusual eight-page statement on cyber security released by SEC chairman Jay Clayton late Wednesday. The statement didn't explain the delay in the announcement, the exact date the system was breached and whether information about any specific company was targeted.

''Notwithstanding our efforts to protect our systems and manage cyber security risk, in certain cases cyber threat actors have managed to access or misuse our systems,'' Clayton said in the statement.

The Edgar system is a popular way for investors to access the detailed financial reports companies that sell stock to the public must periodically release. It had a ''software vulnerability'' that was ''exploited and resulted in access to nonpublic information,'' Clayton said in the statement.

The breach didn't lead to the release of personally identifiable information, but ''may have provided the basis for illicit gain through trading,'' Clayton said. An investigation into the matter is ongoing, he said.

This is not the first time EDGAR has been compromised. The system receives thousands of documents a day and in 2015, fraudsters posted fake information on the site about the takeover of Avon Products, driving the company's stock price up significantly before it was detected. And, in 2014, several researchers found that information submitted was available to some users for 30 seconds before it became publicly available, potentially giving some traders an unfair advantage. High-speed traders, for example, can make thousands of trades in a blink of an eye.

And SEC's disclosure comes just two weeks after credit-reporting company Equifax Inc said it had been a victim of a hack that may have led to the theft of personal data on 143 million Americans. With the public and lawmakers still reeling from Equifax's breach, the SEC intrusion is almost certain to trigger additional questions over whether the US government can do more to protect data.

''Effective management of internal cyber security risk is critical to the SEC achieving its mission and to protecting the nonpublic information that is entrusted to this agency,'' SEC Commissioner Michael S Piwowar said in a statement.

The latest announcement could hamper the SEC's efforts to collect more detailed information about stock trades into a central database that could make it easier for the agency to detect market manipulation. Some key Wall Street figures, including the New York Stock Exchange, have warned the database could become a target for hackers.

"This hack illustrates that protecting against hackers isn't as easy as the government sometimes expects of companies,'' Bradley Bondi, a former SEC enforcement attorney now in private practice, told Bloomberg. ''Everyone is vulnerable at any time."