The Securities and Exchange Commission (SEC) has announced details of a 2016 hack of its computer system that may have led to “illicit gains” from stock trades.
SEC officials learned in August that hackers had breached the agency’s EDGAR online database, which contains many companies’ securities filings and other highly sensitive information. SEC Chairman Jay Clayton issued a statement Wednesday evening explaining that the intrusion was the result of a software vulnerability that was “patched promptly after discovery.”
“We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk,” Clayton said. “Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.”
Must step up efforts
Thus far, the SEC has investigated and filed cases against individuals who it alleges placed fake SEC filings connected to the breach. However, the agency’s announcement did not sit well with Senator Mark Warner (D-Virginia).
The lawmaker compared the breach with the recent hacking of credit reporting agency Equifax, which compromised sensitive personal details of 143 million people. Warner indicated that he would be questioning Clayton about the breach in an upcoming Senate Banking Committee meeting, according to the Los Angeles Times.
“The SEC’s disclosure, which comes not even two weeks after Equifax revealed that it had been hacked, shows that government and business entities need to step up their efforts to protect our most sensitive personal and commercial information,” Warner said.
This isn’t the first time that the SEC has had to deal with cybersecurity issues. In 2014, an internal review by the agency’s Office of the Inspector General (OIG) found that laptops containing sensitive, private information could not be located.
In another instance, the OIG found that SEC employees had shared nonpublic information through non-secure personal email accounts.
Interactions with outside vendors have been troublesome as well. In his statement, Clayton confirmed that certain vendor systems and software products have provided the means for threat actors to access SEC systems.
Largely due to these incidents, the SEC has adopted an extensive cybersecurity detection, protection, and prevention program. However, Clayton says that the agency’s own limitations will require “additional expertise in this area.”