The United States Securities and Exchange Commission (SEC) said late Wednesday that it was the victim of a cyber-attack in 2016 that may have allowed hackers to profit through trading on non-public information in its EDGAR filing system.
“In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading,” the Commission announced.
“Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” the announcement continued.
An internal investigation was commenced immediately at the direction of SEC Chairman Jay Clayton.
According to Clayton, the EDGAR system receives and processes over 1.7 million electronic filings per year.
“While we don’t have any technical details of the data breach, I would refrain from making any conclusions about its origins or attackers,” Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SecurityWeek. “The SEC statement is very obscure and may provoke speculation and rumors around it, including attempts to blame nation-states or attribute it to (in)famous hacking groups.”
While the SEC did not make any suggestion on the possible threat actor(s) behind the attack, it is certainly not the first-time attackers have targeted non-public company information that could have been used to gain insights leading to profits.
In March 2017, FireEye shared details of a cybercrime group tracked by the company as FIN7, which had been observed targeting nearly a dozen organizations in the United States, focusing on personnel that handles filings to the SEC.
In August 2015, the SEC announced that a cybercriminal group hacked into newswire services to steal non-public information about corporate earnings announcements that were used to make financial trades that generated more than $100 million in illegal profits.
In December 2016, the SEC charged three Chinese men accused of hacking into two New York-based law firms to steal information related to clients that were considering mergers or acquisitions, which the hackers then used to trade.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Chairman Clayton said in a statement. “We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
In a related statement, Clayton detailed the SEC's approach to cybersecurity as an organization and as a regulatory body.
“This incident clearly exposes how vulnerable our global financial ecosystem is, and how unprepared we are to fight skyrocketing cybercrime,” Kolochenko added. “In the future we will see steady fusion of common crime with cyber gangs that jointly may challenge state power and dictate their laws, while law enforcement agencies are catastrophically underfinanced by governments and just don’t have enough resource to tackle global cybercrime.”
The SEC said that the 2016 intrusion "did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”
News of the SEC hack comes less than two weeks after credit reporting agency Equifax said it was the victim of a massive cyber-attack that exposed sensitive data on more than 143 million people.
By Mike Lennon on September 21, 2017