The country’s top Wall Street regulator says a cyberattack last year breached its system for storing documents filed by companies, possibly allowing hackers to make illegal profits.
The Securities and Exchange Commission admitted the breach in a statement posted Wednesday on its website.
Chairman Jay Clayton said a review of the agency’s cybersecurity revealed “a software vulnerability” in its EDGAR (electronic data gathering, analysis and retrieval) filing system. Hackers exploited that vulnerability, resulting in "access to nonpublic information," he said.
The breach was fixed shortly after it was discovered in 2016, but some investors may have used the illegally acquired data to make illegal profits, Clayton said.
“Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber-threat actors have managed to access or misuse our systems,” he said.
He assured that the cyberattack did not expose any personal information, but “may have provided the basis for illicit gain through trading.”
The agency announced the hack in the wake of a massive months-long hack of Equifax, a credit reporting agency, through which sensitive personal information of 143 million people was exposed.
Publicly traded companies use the SEC’s EDGAR system to file disclosure documents. It processes around 1.7 million filings a year.
The SEC has experienced other security risks in recent years. Clayton said in the same statement that a 2014 review could not locate some agency laptops that may have contained confidential information.
Instances of the agency’s staff using private, unsecure private emails to send confidential information were also discovered.
The SEC will continue to investigate the cyberattack and might coordinate with the “appropriate authorities,” the statement said.
The Associated Press contributed to this report.