Hackers broke into the systems of the top US securities regulator last year, and may have used confidential information to trade in the stock market. The Securities and Exchange Commission said yesterday that criminals exploited a software vulnerability in its filing system. While the breach was detected in 2016 and the weakness patched, the SEC says it wasn’t until last month that the agency realized the information may have been exploited through stock market trades.
It’s the second disclosure this month that cyber criminals exploited records entrusted to a key US financial institution. Credit reporting company Equifax said on Sept. 7 that hackers had stolen personal information, such as social Social Security numbers and birth dates, for about half the nation’s population. In the SEC hack, the agency says personal data wasn’t stolen.
Instead, hackers broke into the SEC’s database of filings, called Edgar (Electronic Data Gathering, Analysis and Retrieval system), which houses information from thousands of public companies that are regulated by the agency. Edgar receives and processes more than 1.7 million electronic filings per year. The intruders may have taken advantage of information in the system that hadn’t yet been made public.
“We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk,” the SEC said.
SEC chairman Jay Clayton said the agency is also working to defend against the threat of unauthorized users posting fake filings on the system or shutting down the service through so-called denial of service attacks. The agency started reviewing its cybersecurity vulnerabilities in May.
Clayton acknowledged that an immense repository for market data that’s in the works could be targeted by hackers. The Consolidated Audit Trail will help regulators examine computer-driven trading that takes place near the speed of light, but it will also contain detailed information about brokers’ customers. Its first stage of operation is supposed to start in November.
The SEC says hackers have stolen information before and used it to make bets on stocks. The agency charged three Chinese traders in December with installing malware on the computer systems of two prominent law firms to get information about pending mergers and acquisitions. The SEC says the hackers made almost $3 million in illegal profits.