Two weeks after international credit rating agency Equifax revealed that it had experienced a security breach between May and July this year, the US Securities and Exchange Commission has now disclosed that its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system was hacked last year. The EDGAR system stores financial documents filed by publicly traded companies. According to the SEC: “In 2017, on a typical day, investors and other market participants access more than 50 million pages of disclosure documents through the EDGAR system, which receives and processes over 1.7 million electronic filings per year.”
In regards to the breach, this is what the SEC had to say:
Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.
Even though the SEC believes that there was no unauthorized access, some illegal stock trades may have been carried out.
Our Division of Enforcement has investigated and filed cases against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.
One question that immediately comes to mind is why did the Commission wait for this long before revealing the breach? Is it because of the Equifax fiasco? The Commission has also not disclosed any specifics regarding when the breach actually took place and if any particular companies were targeted.
It’s worth noting that the system was allegedly compromised in 2015 as well when it was discovered that a fake buy out filing about Avon Products had been posted in EDGAR resulting in significant increase in the company’s stock price, which could have been exploited by the miscreants.
Equifax security breach
On September 7, Equifax disclosed that a vulnerability in one of its web applications had led to the leak of personal and financial data of around 143 million American citizens. The leak comprised millions of social security numbers (SSNs), driving license numbers, and a couple hundred thousand credit card numbers, among other documents. Subsequently, it came to light that personal and financial data of around 400,000 Britons and unspecified data of about 100,000 Canadians had also been part of the leak.
That’s not all, earlier this week, we learned that there was another breach in March 2017 related to a payroll service. The company has claimed that the security breach in March was communicated to the customers as well as the regulator. Then there is the criminal investigation being conducted by the US Justice Department to ascertain if certain senior executives at Equifax indulged in insider trading, by selling stocks of the company of August 1 and 2, before the company had publicly disclosed that a security breach had taken place.