ShareThis Page

SEC reveals 2016 hack that breached its filing system

| Wednesday, Sept. 20, 2017, 11:09 p.m.

The Security and Exchange Commission, the country's top Wall Street regulator, announced Wednesday that hackers breached its system for storing documents filed by publicly traded companies last year, potentially accessing data that allowed the intruders to make an illegal profit.

The agency detected the breach last year but didn't learn until last month that it could have been used for improper trading. The incident was briefly mentioned in an unusual, eight-page statement on cybersecurity released by SEC Chairman Jay Clayton late Wednesday. The statement didn't explain the delay in the announcement, the exact date the system was breached and whether information about any specific company was targeted.

“Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems,” Clayton said in the statement.

The system that was breached, known as EDGAR, is a popular way for investors to access the detailed financial reports companies that sell stock to the public must periodically release. It had a “software vulnerability” that was “exploited and resulted in access to nonpublic information,” Clayton said in the statement.

The breach didn't lead to the release of personally identifiable information, but “may have provided the basis for illicit gain through trading,” Clayton said. An investigation into the matter is ongoing, he said.

This is not the first time EDGAR has been compromised. The system receives thousands of documents a day and in 2015, fraudsters posted fake information on the site about the takeover of Avon Products, driving the company's stock price up significantly before it was detected. And in 2014, several researchers found that information submitted was available to some users for 30 seconds before it became publicly available, potentially giving some traders an unfair advantage. High-speed traders, for example, can make thousands of trades in a blink of an eye.

“Effective management of internal cybersecurity risk is critical to the SEC achieving its mission and to protecting the nonpublic information that is entrusted to this agency,” SEC Commissioner Michael Piwowar said in a statement.

The latest announcement could hamper the SEC's efforts to collect more detailed information about stock trades into a central database that could make it easier for the agency to detect market manipulation. Some key Wall Street figures, including the New York Stock Exchange, have warned the database could become a target for hackers.

This also comes at a time of heightened sensitivity to cyber breaches. The credit reporting agency Equifax announced a massive hack earlier this month that affected 143 million Americans, sparking outrage on Capitol Hill and multiple investigations.

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.