SEC breached in 2016; data used for illicit trades?
The US Securities and Exchange Commission (SEC), the stock market watchdog, announced on September 20, 2017, that it learned last month that intrusion into its EDGAR reporting system seems to have been used for illegal stock trading. The SEC knew in 2016 that EDGAR had been hit with unauthorized access; the news is that upon investigation it seems the intrusion may have enabled illicit gains. The disclosure appeared in a long statement by the SEC chair outlining the ways in which cyber security and resilience are important, and describing the Commission's assessment of its risk profile. Here are the relevant passages:
"Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities. As another example, our Division of Enforcement has investigated and filed cases against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.
"In addition, like other organizations, we are subject to the risk of unauthorized actions or disclosures by Commission personnel. For example, a 2014 internal review by the SEC's Office of Inspector General ("OIG"), an independent office within the agency, found that certain SEC laptops that may have contained nonpublic information could not be located. The OIG also has found instances in which SEC personnel have transmitted nonpublic information through non-secure personal email accounts." (SEC)
EDGAR (Electronic Data Gathering, Analysis, and Retrieval) is the SEC's central collection point for the filings public companies are required to submit. Congress and the Department of Homeland Security have raised concerns over SEC cyber risk before (Reuters).
There's no word, yet, on who hacked EDGAR, how they did it, or how they exploited their guilty knowledge for stock trading.