The Securities and Exchange Commission announced Wednesday evening that its electronic database of company filings was hacked last year.
The regulator said it learned about the security breach in August and that it may have resulted in illicit trading gains. The hackers exploited a software vulnerability in its EDGAR system — its database of corporate documents — to access nonpublic information, according to the statement.
“Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself,” SEC Chairman Jay Clayton said in a statement on cybersecurity Wednesday. He said the breach was patched promptly after discovery and the regulator continues to investigate the incident in coordination with the “appropriate authorities.”
The hack is the latest to alarm investors and ordinary individuals this year. Credit-reporting company Equifax announced two weeks ago that its security had been breached, exposing customer data such as social security numbers, birth dates and addresses. In May, ransomware program WannaCry breached organizations such as hospitals and rail systems in more than 100 countries in just two days, according to a blog that month by Limor Kessem, an executive security advisor at IBM.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said. “We must be vigilant.”
The SEC said the Edgar hack did not result in access to personally identifiable information, and it did not specify which companies were exploited in the cyberattack.
Clayton was sworn in as SEC chairman in May. That same month he initiated a review of the SEC’s approach on cybersecurity from a regulatory and oversight perspective, according to his statement Wednesday.