US SEC reveals it was hacked in 2016, says leaked data likely used for insider trading
Company data from its 'Edgar' system used for 'illicit gain' through trades.
The US Securities and Exchange Commission (SEC) has revealed that it was hacked last year, an intrusion it now believes was the basis for insider trading.
According to the chairman of the US stock market regulator, Jay Clayton, the SEC believed that an incident "previously detected in 2016" was used by hackers for "illicit gain" through trading.
"We believe the intrusion did not result in unauthorised access to personally identifiable information, jeopardise the operations of the commission, or result in systemic ris," Clayton wrote in a statement.
"Our investigation of this matter is ongoing, however."
The SEC claimed this week (Thursday 20 September) that the discovery was made as part of an ongoing assessment of its "cybersecurity risk profile".
The issue was blamed on a software bug in a component of Edgar – a database home to corporate information on trades, mergers and acquisitions.
The statement claimed that the vulnerability was quickly patched after discovery.
It did not reveal what company data was compromised for use in the trading scheme – or the full scope of the incident – but confirmed that hackers accessed "non-public information."
"Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic," Clayton's statement added.
"We must be vigilant. We also must recognise – in both the public and private sectors – that there will be intrusions. A key component of cyber risk management is resilience and recovery."
News of the incident comes after the cybersecurity disclosure from US credit reporting company Equifax earlier this month, which has admitted that hackers stole vast amounts of records linked to approximately 143 million customers, including 400,000 from the UK.
In his own admittance, Clayton outlined the main challenges that the SEC – and other major US institutions – now face on an almost daily basis.
He said that attacks come can from everwhere, including "unscrupulous contractors and vendors, malicious employees, business competitors, prospective insider traders and market manipulators, so-called "hacktivists," terrorists [and] state-sponsored actors".
He continued: "I recognise that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face.
"That stark reality makes adequate disclosure no less important.
"Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself."
According to Reuters, however, the SEC was recently warned that its digital security not was up to scratch. A 27-page report from the Government Accountability Office in July found the SEC lacked adequate encryption and was using out-of-date computer software.
© Copyright IBTimes 2024. All rights reserved.