The Washington PostDemocracy Dies in Darkness

SEC reveals it was hacked, information may have been used for illegal stock trades

Jay Clayton testifies before the Senate Banking Committee during his confirmation hearing March 23 to be chairman of the Securities and Exchange Commission. (Chip Somodevilla/Getty Images)

The Securities and Exchange Commission, the country’s top Wall Street regulator, announced Wednesday that hackers breached its system for storing documents filed by publicly traded companies last year, potentially accessing data that allowed the intruders to make an illegal profit.

The agency detected the breach last year, but didn’t learn until last month that it could have been used for improper trading. The incident was briefly mentioned in an unusual eight-page statement on cybersecurity released by SEC Chairman Jay Clayton late Wednesday. The statement didn’t explain the delay in the announcement, the exact date the system was breached and whether information about any specific company was targeted.

“Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems,” Clayton said in the statement.

The system that was breached, known as EDGAR, is a popular way for investors to access the detailed financial reports companies that sell stock to the public must periodically release. It had a “software vulnerability” that was “exploited and resulted in access to nonpublic information,” Clayton said in the statement.

The breach didn’t lead to the release of personally identifiable information, but “may have provided the basis for illicit gain through trading,” Clayton said. An investigation into the matter is ongoing, he said.

This is not the first time EDGAR has been compromised. The system receives thousands of documents a day and in 2015, fraudsters posted fake information on the site about the takeover of Avon Products, driving the company’s stock price up significantly before it was detected. And in 2014, several researchers found that information submitted was available to some users for 30 seconds before it became publicly available, potentially giving some traders an unfair advantage. (High-speed traders, for example, can make thousands of trades in a blink of an eye.)

“Effective management of internal cybersecurity risk is critical to the SEC achieving its mission and to protecting the nonpublic information that is entrusted to this agency,” SEC Commissioner Michael S. Piwowar said in a statement.

The latest announcement could hamper the SEC’s efforts to collect more detailed information about stock trades into a central database that could make it easier for the agency to detect market manipulation. Some key Wall Street figures, including the New York Stock Exchange, have warned the database could become a target for hackers.

The credit reporting agency, Equifax, announced on Sept. 7 that a hack has impacted the credit histories of up to 143 million Americans. (Video: Amber Ferguson/The Washington Post)

This also comes at a time of heightened sensitivity to cyber breaches. The credit-reporting agency Equifax announced a massive hack earlier this month that affected 143 million Americans, sparking outrage on Capitol Hill and multiple investigations.

Read more: 

How data breaches grew to massive proportions in 11 years

Before the breach, Equifax sought to limit exposure to lawsuits

The FTC is investigating the Equifax breach. Here’s why that’s a big deal.