SEC Discloses Hackers Made Off With Data From Its Filing System

Image: Securities and Exchange Commission; SEC
The seal of the U.S. Securities and Exchange Commission at SEC headquarters, in Washington.Andrew Harnik / AP

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
By Alex Johnson

The U.S. Securities and Exchange Commission disclosed late Wednesday night that hackers breached its online filing system and may have made "illicit gain through trading."

The SEC, the agency responsible for regulating the financial securities industry, gave few details about the hack, saying only that it involved a software "vulnerability" in its EDGAR online filing system, resulting in "access to nonpublic information." The statement said that it didn't believe any personally identifiable information or SEC operations were compromised and that an investigation was continuing.

The breach was first detected in 2016, but the SEC didn't realize until last month that the hackers may have been able to exploit the hack for profit, according to statement on cybersecurity policy, which was released at about 11 p.m. ET. Disclosure of the hack was confined to one paragraph almost a third of the way into the 5,000-word document, including footnotes.

The seal of the U.S. Securities and Exchange Commission at SEC headquarters, in Washington.Andrew Harnik / AP

The federal government has been bedeviled for years by high-profile cyber breaches, among them the theft of sensitive data about more than 21 million people whose records were compromised at the Office of Personnel Management in 2015.

NBC News reported in March that more than 8,000 documents posted by WikiLeaks included authentic material about CIA hacking methods, some of it classified top secret.

Last year, the security risk benchmarking firm SecurityScorecard ranked federal, state and local governments last among 17 major industries and institutions it examined for cybersecurity, highlighting outdated software and slow or inadequate deployment of critical updates.

In May, President Donald Trump signed an executive order mandating a single, unified set of standards for cybersecurity and making the heads of each government agency responsible for its own security.

The order put responsibility for cybersecurity on the shoulders of the director of every federal agency, making it more difficult for executives to pass the buck to their information technology staffs.

Wednesday night's SEC statement went out over the signature of Chairman Jay Clayton.