SEC Hacked: Information From Breach May Have Been Used In Trading

The United States Securities and Exchange Commission (SEC), the government agency that regulates the financial sector, announced Wednesday that its systems were breached by hackers and information stolen from the commission may have been used for insider trading.

SEC Chairman Jay Clayton said hackers were able to infiltrate the SEC's Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system—a sizable database that maintains information and documentations from official company filings and past financial records.

According to Clayton, the hackers were able to exploit a vulnerability discovered in a test filing component of EDGAR that allowed the attackers to gain access to the backend of the SEC’s system.

Much of the information housed in EDGAR is already publicly available, but the attackers were also able to access nonpublic information that may have been used to facilitate illegal trading to benefit the attackers or sold to other parties for potentially illegal uses.

The SEC said the exploit was quickly patched after discovery and the unauthorized access is not believed to have resulted in the compromise of any personally identifiable information and does not jeopardize the operations of the commission. According to the SEC, there is no systemic risk associated with the breach.

“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Chairman Clayton said in a statement. “We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

While the commission has does its best to quell concerns stemming from the breach, the timeline related to the hack does not appear promising. The SEC doesn’t give a specific timeframe for when the breach occurred but notes it was first discovered in May 2016 and patched upon its discovery.

That breach was not disclosed until Wednesday. What prompted the SEC to suddenly detail the breach that took place more than one year ago was a revelation last month that information stolen as a result of that breach “may have provided the basis for illicit gain through trading.”

Ben Johnson, the co-founder and chief technology officer at Obsidian Security and a former computer scientist for the National Security Agency, told International Business Times, “If anyone is shocked that the SEC was compromised, they shouldn't be.”

Johnson said it was “troubling” a breach that took place last year is just coming to light now. “With any compromise, it's usually very difficult to figure out what information was read and exfiltrated. When attackers have access for long periods of time, it's even worse because logs often expire or get recycled, and ways to extract information become numerous and even harder to prove,” he said.

According to Johnson, it’s possible that the SEC isn’t fully aware of what information was accessed from the breach, making it difficult to pinpoint exactly what was taken and how it may have been used.

Regardless, insider information is in demand among hackers and other malicious actors. Johnson said simply knowing about upcoming product launches, mergers and acquisitions or private corporate details can prove to be more valuable to attackers than stolen personal information.

“Furthermore, it's often hard to connect stock market trades to specific hacks. Combining the difficulty of tying together multiple events with the difficulty of knowing what information was accessed means that from a purely cyber and digital forensics perspective, it could be incredibly difficult to prove specific trades were tied to compromise at the SEC. It is often through piecing together multiple forms of intelligence that intent, causation, or correlation can be surmised,” he said.