In a prepared statement, SEC Chairman Jay Clayton said a review of the agency's cybersecurity risk profile determined that the previously detected incident was caused by "a software vulnerability" in its filing system known as EDGAR, short for Electronic Data Gathering, Analysis, and Retrieval system. Two years ago it charged a group of mainly USA -based stock traders and computer hackers in Ukraine with the theft of thousands of corporate press statements ahead of their public release, resulting in more than $100 million in illegal profit.
The top securities regulator in the United States said Wednesday night that its computer system had been hacked a year ago, giving the attackers private information that could have been exploited for trading.
"There are certain types of sensitive data that we must obtain from market participants in order to fulfill our mission", Clayton stated.
"Effective management of internal cybersecurity risk is critical to the SEC achieving its mission and to protecting the non-public information that is entrusted to this agency", SEC Commissioner Michael S. Piwowar said in a statement.
EDGAR contained a hole in its test filing system that was exploited by hackers to gain access to nonpublic information.
It says that the system has been patched to remove this software vulnerability.
Ben Johnson, co-founder and CTO for infosec startup Obsidian Security, said the fact that the SEC breach occurred more than one year ago and the SEC didn't disclose it is troubling. The statement also detailed steps the SEC is taking to shore up its cybersecurity through the appointment of a new senior-level security workgroup, risk monitoring, and incident response improvements.
Earlier this year the SEC filed fraud charges against a mechanical engineer who was accused of "scheming to manipulate the price of Fitbit stock by making a phoney regulatory filing" on the EDGAR system. It's meant to ensure that all parties have access to the same information at the same time to minimize the ability of some to take advantage of the release of advance financial information.
The SEC is responsible for keeping the markets fair and orderly, which naturally means its servers are rich with insider information that could be used to make a fortune-it's for that very reason that hackers likely attacked. "We must be vigilant". The ongoing investigation reopened in August.