SEC data breach: hackers accessed personal information
02 October 2017 | 5862 views | 0
The Securities and Exchange Commission says that crooks may have accessed the personal information of two people during the 2016 breach at its Edgar corporate disclosure database.
In an update on the breach, first disclosed last month, SEC chairman Jay Clayton says that a test filing accessed by the hackers contained the names, dates of birth and social security numbers of the two unnamed people, who have been informed and offered ID theft protection.
On 20 September, Clayton revealed that the infiltration of the Edgar system - which houses non-public filings on upcoming corporate earnings statements and pending mergers and acquisitions - was detected in 2016 but that the watchdog only realised in August that data stolen may have been used for illicit trading.
In his update today, the chairman says: "The 2016 intrusion and its ramifications concern me deeply. I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward."
A review of the intrusion is being carried out by the Office of Inspector General, while the Division of Enforcement is looking into any potential illicit trading. Meanwhile, the SEC says that it is increasing resources for modernisation of Edgar, bringing in outside consultants and increasing the focus on cyber security.
"Chairman Clayton has authorised the immediate hiring of additional staff and outside technology consultants to aid in the agency’s efforts to protect the security of its network, systems and data," says the regulator.
Clayton initiated an assessment of the SEC's cybersecurity risk profile upon taking office in May. Components of this initiative have included the creation of a senior-level cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency.
The watchdog was hauled over the coals by the US Government Accountability Office (GAO) in July, in a report which accused the agency of failing to consistently protect its network boundaries, authenticate users and encrypt sensitive information while in transmission.