Yesterday, the US Securities and Exchange Commission (SEC) — the US government agency that regulates the financial sector — admitted in a statement that hackers breached one of its systems.
According to SEC Chairman Jay Clayton, hackers infiltrated the SEC’s EDGAR (Electronic Data Gathering, Analysis, and Retrieval) system, a database holding information on official company filings, future announcements, or past financial records.
Clayton says hackers exploited a vulnerability in EDGAR’s test filing component and managed to gain access to EDGAR’s backend.
This granted attackers access to past documents, which are all public anyway, but also to private filings regarding mergers, acquisitions, or other market-moving press releases that have not been made public yet, and which companies submit to the SEC in advance of important market transactions.
Breach detected in May 2017, disclosed this week
The SEC did not say when this intrusion took place but says it found about it in May 2016, and immediately patched the vulnerability.
Based on new events that came to light in August 2017, the SEC now believes the “incident previously detected in 2016 may have provided the basis for illicit gain through trading.”
It is unknown if the hackers profited from the illegal trading, or if they sold this information to third-parties.
The incident is similar to a hack that took place between February 2010 and November 2014 when a group of hackers based in Ukraine and Russia breached multiple public newswire services and gained access to soon-to-be-announced press releases from large corporations. Hackers sold these private press releases to other traders, who profited by exploiting the stock market.
SEC hack outshines Equifax breach
“The disclosed breach may have disastrous consequences outshining Equifax,” Ilia Kolochenko, CEO of web security company, High-Tech Bridge told Bleeping Computer via email.
“Cybercriminals could have manipulated the entire stock market and made billions of illicit profit. Ethical investors, including pension and sovereign funds, without the insider information could have lost fortunes as a result,” Kolochenko says.
“While we don’t have any technical details of the data breach, I would refrain from making any conclusions about its origins or attackers. The SEC statement is very obscure and may provoke speculation and rumors around it, including attempts to blame nation-states or attribute it to (in)famous hacking groups,” the expert added.