The top U.S. markets regulator said on Wednesday that hackers accessed its corporate disclosure database and may have illegally profited by trading on the insider information stolen.
The Securities and Exchange Commission (SEC) said the hack occurred in 2016 but that it had only discovered last month that the cyber criminals may have used the information to make illicit trades.
The hackers exploited a software glitch in the test filing component of the system to gain access to non-public information, the agency said.
The SEC hosts large volumes of sensitive and confidential information that could be used for insider-trading or manipulating U.S. equity markets. Its EDGAR database houses millions of filings on corporate disclosures ranging from quarterly earnings to statements on mergers and acquisitions.
Although the SEC “promptly” patched the vulnerability after detecting it in 2016, the regulator only became aware last month that the glitch “may have provided the basis for illicit gain through trading”, it said.
“It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk,” the SEC said, adding that it was also liaising with the relevant authorities without naming them.
The incident comes just weeks after Equifax Inc (EFX.N), a major U.S. consumer credit reporting agency, disclosed that hackers had stolen data on more than 143 million customers and underscores the threat cyber criminals pose to the integrity of the financial markets.
It also raises questions about whether there were weak spots within the SEC, an institution tasked with protecting investors and financial markets, that allowed the hackers in.
In July, months after the breach was detected, a congressional watchdog office warned that the Wall Street regulator was “at unnecessary risk of compromise” because of deficiencies in its information systems.
The 27-page report by the Government Accountability Office found the SEC did not always fully encrypt sensitive information, used unsupported software, failed to fully implement an intrusion detection system and made missteps in how it configured its firewalls, among other things.
Cyber criminals have targeted financial information hubs before — the Hong Kong stock exchange and the Nasdaq stock exchange in New York were targeted by hackers in 2011.
But the breach at the SEC is particularly egregious because its new boss, Jay Clayton, has made tackling cyber crime one of the top enforcement issues during his tenure.
It also puts the agency under a spotlight over why the 2016 breach was not disclosed earlier. Securities industry rules require companies to disclose cyber breaches to investors and the SEC has investigated firms over whether they should have reported incidents sooner.
The SEC has scored some victories in tackling cyber criminals in recent years. Two years ago it charged a group of mainly U.S.-based stock traders and computer hackers in Ukraine with the theft of thousands of corporate press statements ahead of their public release, resulting in more than $100 million in illegal profit.
Additional reporting by Eric Beech; Editing by Peter Cooney and Carmel Crimmins