The Securities and Exchange Commission (SEC) revealed this week that it was investigating a 2016 breach of its computer systems by hackers who may have exploited the private data accessed to conduct profitable trades.
The regulator’s corporate filing system, called EDGAR, is used by publicly traded companies to make highly sensitive and legally required report submissions.
In the disclosure, made in a lengthy cybersecurity statement issued on Wednesday evening, the agency said that hackers had gained entry to this system during 2016. SEC officials were unaware of the breach until August 2017 and quickly patched the security vulnerability, the agency said.
The securities regulator did not clarify which companies were affected or details about the vulnerability, but the hushed revelation comes just a week after it was reported that consumer credit reporting agency Equifax suffered a major breach exposing the personal information of 143 million Americans.
In July 2016, one month before the SEC breach was uncovered, the Government Accountability Office published a report that criticised the “limited effectiveness” of SEC’s computer systems “for protecting confidentiality, integrity, and availability.” What’s more, the report revealed that the regulator had failed to encrypt information and adequately apply important recommended security procedures.
The statement issued by SEC late Wednesday was, in part, a response to that negative assessment that made assurances that security recommendations had now been applied. Under the leadership of its new director, Walter Clayton, this has become a stated priority.
A 2015 case was brought by the agency against fraudulent insider trading ring that had paid Ukrainian hackers to gain access to sensitive information. The breach revelation, however, will exacerbate already present fears that regulators like SEC will be increasingly the target of such attacks by criminals seeking an advantage on the stock markets.