US Securities and Exchange Commission Hack (2017)
The US Securities and Exchange Commission (SEC) hack, which took place in 2016 but was publicly disclosed in September 2017, involved the theft of sensitive corporate information from the SEC's Electronic Data Gathering Analysis and Retrieval (EDGAR) filing system. This breach raised significant concerns about the SEC's cybersecurity practices, particularly as it occurred alongside other high-profile data breaches, such as that of Equifax. Upon discovering the hack, the SEC initiated an internal investigation to determine the breach's specifics and subsequently launched new security measures, including the establishment of a Cyber Unit dedicated to investigating cybercrimes and a Retail Strategy Task Force aimed at protecting retail investors.
The breach was attributed to a vulnerability in EDGAR's test filing system, which hackers exploited to access nonpublic data that could potentially be used for illegal trading advantages. Initially, the SEC did not disclose the breach to the public until it was confirmed through an audit that private data had indeed been compromised. The incident drew criticism over the SEC's delayed response and its perceived failure to meet the same reporting standards it imposes on regulated entities. As part of its ongoing commitment to improve cybersecurity, the SEC has since focused on addressing vulnerabilities and enhancing its protective measures for investors.
US Securities and Exchange Commission Hack (2017)
Date: September 20, 2017
Place: United States
Summary
The US Securities and Exchange Commission (SEC) hack was a cybercrime in which hackers stole private corporate information from an SEC database that could have been used to profit illegally from stock market trading. The hack occurred in 2016 but was not revealed to the public until 2017. In the midst of other large-scale breaches such as that of the credit reporting agency Equifax, the hack drew increased criticism regarding how the regulatory organization handled the situation and the state of its own cybersecurity systems and practices.
Key Events
- September 20, 2017—The SEC releases a public statement announcing that one of the organization’s databases had been hacked by cybercriminals sometime in 2016.
- September 25, 2017—The SEC announces the launch of a new cybersecurity and fraud division to address security issues and investigate hacking and other data crimes.
Status
Immediately following the revelation of the breach, the SEC reported that an internal investigation was underway to determine exactly how the hack occurred. On September 25, the SEC announced the launch of two new security initiatives designed to protect investors and prevent future data breaches. The first measure included the creation of a cybercrime unit within the Division of Enforcement, known as the Cyber Unit, dedicated to investigating cyberattacks. In a second effort, the SEC created a Retail Strategy Task Force focused on identifying and investigating cases of fraud and misconduct that directly impact retail investors.
In-Depth Overview
Established by Congress in 1934 as part of the Securities Exchange Act passed that year, the US Securities and Exchange Commission (SEC) is an independent regulatory agency within the US government that is charged with developing and enforcing regulations regarding the purchase and sale of tradable financial assets and investments (stocks, bonds, etc.) to ensure greater investor confidence. The SEC has authority over trading floors such as the NASDAQ Stock Market and the New York Stock Exchange (NYSE) as well as over online exchanges. The organization is led by a board of five commissioners, with the requirement that no more than three can belong to a single political party at any time. The president of the United States designates which of the sitting commissioners will serve as chairman, with Donald Trump appointing Jay Clayton chairman in January 2017; he was sworn in to office on May 4.
Since the SEC shifted to digital data management, hackers and cybercriminals have, on several occasions, attempted to breach the SEC’s web-based data system. In May 2017, for instance, the SEC filed fraud charges against a man accused of attempting to manipulate stock prices for the Fitbit device by using someone else’s email account to post a fake regulatory filing on one of the SEC’s databases. Sometime in 2016, the SEC was subject to a hacking attack resulting in the infiltration of the organization’s Electronic Data Gathering Analysis and Retrieval (EDGAR) filing system. According to the reports, the hack was discovered in 2016, but it was uncertain whether or not the data breach uncovered information that was not already available for public view, and immediate action was taken that was deemed effective at securing the breach; therefore, the SEC postponed alerting the public until 2017. According to Clayton, during an audit in August of that year, the SEC discovered that private data had indeed been exposed and made the decision to alert authorities and the public.
EDGAR is a critical program that allows investors to view the electronic filings of companies containing information they are required to submit (such as company earnings and mergers) as well as to examine markets. This system is integral to ensuring that investors have sufficient information to make informed decisions about trading. While most of the documents circulated through EDGAR are public information, the system also contains nonpublic documents, and these documents are of interest to hackers as a means of getting an unfair advantage over other investors.
According to Clayton in his statement announcing the breach, the 2016 hack took advantage of a vulnerability in EDGAR’s test filing system. The vulnerability was patched immediately upon being discovered, but not before hackers were able to gain access to nonpublic data. The release was immediately criticized because Clayton included the information as part of a more general “Statement on Cybersecurity,” a lengthy document that extensively described the organization’s approach to security before revealing, in a few paragraphs, that the organization believed cybercriminals had gained access to nonpublic information and that illegal trading could have occurred as a result of the breach. Clayton further stated that the SEC did not believe the breach resulted in exposure of personal information; however, by October, he had revised this statement to reveal that continued analysis proved that personal information belonging to two unnamed individuals had been compromised. Critics argued that the SEC did not adhere to the same guidelines that it sets for the entities that it regulates regarding reporting cybercrime.
Key Figures
Jay Clayton: Chairman of the SEC who announced the data breach.
Bibliography
Clayton, J. (2017, September 20). Statement on cybersecurity. SEC. Retrieved from INK "https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20" https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20
Isidore, C. (2017, September 21). Why the SEC hack is a really big deal. CNN. Retrieved from http://money.cnn.com/2017/10/02/technology/business/sec-hack-2016-data-stolen/index.html
Lynch, D. J. (2017, September 22). SEC hacking disclosure fell short of its own guidance. Financial Times. Retrieved from https://www.ft.com/content/f5292994-9f09-11e7-8cd4-932067fbf946
Stevenson, A., & Tejada, C. (2017, September 20). S.E.C. says it was a victim of computer hacking last year. The New York Times. Retrieved from https://www.nytimes.com/2017/09/20/business/sec-hacking-attack.html
Woodyard, C. (2017, September 21). SEC discloses hackers penetrated EDGAR, profited in trading. USA Today. Retrieved from HYPERLINK "https://www.usatoday.com/story/money/business/2017/09/20/sec-discloses-hackers-penetrated-edgar-profited-trading/687761001/" https://www.usatoday.com/story/money/business/2017/09/20/sec-discloses-hackers-penetrated-edgar-profited-trading/687761001/