SEC reveals computer system hacked last year
The top securities regulator in the United States said Wednesday night that its computer system had been hacked last year, giving the attackers private information that could have been exploited for trading.
The disclosure, coming on the heels of a data breach at Equifax, the major consumer credit reporting firm, is likely to intensify concerns over potential computer vulnerabilities lurking among pillars of the American financial system.
The Securities and Exchange Commission said in a statement that it was still investigating the breach of its corporate filing system. The system, called Edgar, is used by firms to make legally required filings to the agency.
The agency said it learned in August that an incident detected last year “was exploited and resulted in access to nonpublic information.” It said the security vulnerability used in the attack had been patched shortly after it was discovered.
The hacking, it said, “may have provided the basis for illicit gain through trading.”
In its statement, the agency did not release further details of the attack, including whether it had resulted in disclosure of any information about particular companies.
The Equifax breach, which focused on a database that contained the personal information of 143 million Americans, focused attention on the vulnerabilities of private companies that handle sensitive personal financial information. The SEC sometimes handles its own sensitive information, including disclosures that companies are allowed to keep away from investors. Such information could give traders an edge.
The SEC may have presented a ripe target.
The Government Accountability Office in July released a 27-page report that found deficiencies in the SEC’s information systems that “limited the effectiveness of the SEC’s controls for protecting confidentiality, integrity and availability.” It also found that the SEC did not always encrypt information and had failed to fully implement recommendations from the General Accounting Office that would help detect intrusion.
In its response, the SEC said it agreed with the recommendations of the report but added that it had implemented a number of its suggestions.