SEC says 2016 cyberattack may have led to illegal trading
A statement from the Securities and Exchange Commission (SEC) says its software was patched quickly after the hack was uncovered in 2016, but the possibility attackers may have used it to make illegal profits was only discovered last month
NEW YORK—The Securities and Exchange Commission admitted on Sept. 20 that a cyber breach of a filing system it uses may have provided the basis for some illegal trading in 2016.
In a statement posted on the SEC’s website, Chairman Jay Clayton said a review of the agency’s cybersecurity risk profile determined that the previously detected “incident” was caused by “a software vulnerability” in its EDGAR filing system.
The statement said the software was patched quickly after the hack was uncovered in 2016, although the possibility that some may have used it to make illegal profits was only discovered last month.
The SEC revelation comes as Americans continue to grapple with the repercussions of a massive, months-long hack of Equifax, a credit reporting agency, which exposed highly sensitive personal information of 143 million people.
The SEC chairman said this breach did not result in exposing personally identifiable information.
The SEC files financial market disclosure documents through its EDGAR system, which processes over 1.7 million electronic filings in any given year according to the agency’s 4,000-word statement.
Clayton’s statement also mentioned that a 2014 internal review was unable to locate some agency laptops that may have contained confidential information.
The agency also discovered instances in which its personnel used private, unsecured email accounts to transmit confidential information.
The SEC is continuing to investigate the breach and its possible consequences and co-ordinating with the “appropriate authorities,” according to the statement.
Clayton ordered a review of the SEC’s cybersecurity profile in May 2017, which led to the discovery of the possible illegal trading. The statement did not explain why the hack itself was not revealed when it was discovered last year.