SEC EDGAR hack took months to discover

Last Updated Sep 21, 2017 2:33 PM EDT

The Securities and Exchange Commission faces questions about its own security after announcing that hackers penetrated its electronic platform for corporate filings.

SEC Chairman Jay Clayton said in a statement late Wednesday that undisclosed parties gained access to the Electronic Data Gathering, Analysis, and Retrieval system, known as EDGAR, in 2016. The cyberthieves appear to have traded on the information they gained illegally and may have made a profit, according to the agency.

The attack on the SEC, which exists to protect investors and ensure that the nation's capital markets work efficiently, comes amid heightened fears about hacking after Equifax (EFX) revealed last month that sensitive data belong to 143 million Americans had been compromised following a months-long breach of the credit bureau's systems.  

The agency said that a software vulnerability in EDGAR, which publicly listed companies use to make regulatory disclosures, was "exploited" for access to nonpublic information. The flaw was fixed quickly, according to the agency.

The SEC discovered the intrusion only in August, a full three months after Clayton ordered a review of the agency's security. The review also revealed that SEC personnel had used private email accounts to transmit confidential information.

"Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems," SEC Chairman Jay Clayton said in a statement disclosing the hack. 

The SEC said it does not believe the cyberattack compromised personally identifiable information, such as names. The agency is investigating the matter.

"In today's environment, cyberattacks are perpetrated by identity thieves, unscrupulous contractors and vendors, malicious employees, business competitors, prospective insider traders and market manipulators, so-called 'hacktivists,' terrorists, state-sponsored actors and others," said Clayton, who was picked by President Donald Trump to head the SEC.

Such attacks undermine confidence in financial markets and can create risks for investors and consumers, the SEC said.

  • Alain Sherter On Twitter»

    Alain Sherter covers business and economic affairs for CBSNews.com.