The two people involved have been alerted, according to an agency statement, which also acknowledged that the number of individuals affected may grow.
“The 2016 intrusion and its ramifications concern me deeply,” SEC Chairman Jay Clayton said in a statement. “I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward.”
The hack occurred last year, but was not disclosed until last month, sparking criticism of the agency for its delayed announcement. This time, Clayton learned of the exposure of personal information Friday and disclosed it Monday morning.
The system that was breached, known as EDGAR, serves as a clearinghouse for the public filings that companies must make to the agency, including reports on periodic financial results and newsworthy developments. There can sometimes be a lag between the time when the reports are electronically filed with the agency and when they can be viewed by the public, making the system a potentially lucrative target to hackers hoping to learn sensitive information before the rest of the market.
The hack is still under investigation, including by the agency’s Office of Inspector General. The agency is also considering whether to upgrade the EDGAR system, according to the SEC statement.
“While our review and remediation efforts are ongoing and may take substantial time to complete, I believe it is important to provide new information regarding the scope of the 2016 intrusion and provide an update on the steps we are taking to assess and improve the cybersecurity risk profile of our EDGAR system and of the agency’s systems more broadly,” Clayton said in a statement.