The Securities and Exchange Commission acknowledged Monday that a major hack of some of its key software had exposed two unnamed people’s personal information, including Social Security numbers.

The agency had initially said the 2016 breach may have allowed the hackers to make a profit from illegal stock sales but did not compromise any personal data. But after a “forensic data analysis,” the SEC determined that the “names, dates of birth and social security numbers” of two people were compromised, according to a SEC statement.

The two people involved have been alerted, according to an agency statement, which also acknowledged that the number of individuals affected may grow.

“The 2016 intrusion and its ramifications concern me deeply,” SEC Chairman Jay Clayton said in a statement. “I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward.”

The hack occurred last year, but was not disclosed until last month, sparking criticism of the agency for its delayed announcement. This time, Clayton learned of the exposure of personal information Friday and disclosed it Monday morning.

The system that was breached, known as EDGAR, serves as a clearinghouse for the public filings that companies must make to the agency, including reports on periodic financial results and newsworthy developments. There can sometimes be a lag between the time when the reports are electronically filed with the agency and when they can be viewed by the public, making the system a potentially lucrative target to hackers hoping to learn sensitive information before the rest of the market.

The hack is still under investigation, including by the agency’s Office of Inspector General. The agency is also considering whether to upgrade the EDGAR system, according to the SEC statement.

“While our review and remediation efforts are ongoing and may take substantial time to complete, I believe it is important to provide new information regarding the scope of the 2016 intrusion and provide an update on the steps we are taking to assess and improve the cybersecurity risk profile of our EDGAR system and of the agency’s systems more broadly,” Clayton said in a statement.