SEC says hackers may have traded using stolen insider
information
Send a link to a friend
 [September 21, 2017]
By Michelle Price
WASHINGTON (Reuters) - The top U.S. markets
regulator said on Wednesday that hackers accessed its corporate
disclosure database and may have illegally profited by trading on the
insider information stolen.
The Securities and Exchange Commission (SEC) said the hack occurred in
2016 but that it had only discovered last month that the cyber criminals
may have used the information to make illicit trades.
The hackers exploited a software glitch in the test filing component of
the system to gain access to non-public information, the agency said.
The SEC hosts large volumes of sensitive and confidential information
that could be used for insider-trading or manipulating U.S. equity
markets. Its EDGAR database houses millions of filings on corporate
disclosures ranging from quarterly earnings to statements on mergers and
acquisitions.
Although the SEC "promptly" patched the vulnerability after detecting it
in 2016, the regulator only became aware last month that the glitch "may
have provided the basis for illicit gain through trading", it said.
"It is believed the intrusion did not result in unauthorized access to
personally identifiable information, jeopardize the operations of the
Commission, or result in systemic risk," the SEC said, adding that it
was also liaising with the relevant authorities without naming them.
The incident comes just weeks after Equifax Inc <EFX.N>, a major U.S.
consumer credit reporting agency, disclosed that hackers had stolen data
on more than 143 million customers and underscores the threat cyber
criminals pose to the integrity of the financial markets.
It also raises questions about whether there were weak spots within the
SEC, an institution tasked with protecting investors and financial
markets, that allowed the hackers in.
[to top of second column] |
The seal of the U.S. Securities and Exchange Commission hangs on the
wall at SEC headquarters in Washington, DC, U.S. on June 24, 2011.
REUTERS/Jonathan Ernst/File Photo
In July, months after the breach was detected, a congressional watchdog office
warned that the Wall Street regulator was "at unnecessary risk of compromise"
because of deficiencies in its information systems.
The 27-page report by the Government Accountability Office found the SEC did not
always fully encrypt sensitive information, used unsupported software, failed to
fully implement an intrusion detection system and made missteps in how it
configured its firewalls, among other things.
Cyber criminals have targeted financial information hubs before -- the Hong Kong
stock exchange and the Nasdaq stock exchange in New York were targeted by
hackers in 2011.
But the breach at the SEC is particularly egregious because its new boss, Jay
Clayton, has made tackling cyber crime one of the top enforcement issues during
his tenure.
It also puts the agency under a spotlight over why the 2016 breach was not
disclosed earlier. Securities industry rules require companies to disclose cyber
breaches to investors and the SEC has investigated firms over whether they
should have reported incidents sooner.
The SEC has scored some victories in tackling cyber criminals in recent years.
Two years ago it charged a group of mainly U.S.-based stock traders and computer
hackers in Ukraine with the theft of thousands of corporate press statements
ahead of their public release, resulting in more than $100 million in illegal
profit.
(Additional reporting by Eric Beech; Editing by Peter Cooney and Carmel Crimmins)
[© 2017 Thomson Reuters. All rights
reserved.] Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
-Lincoln-IL/2831225863)
