SEC: Hackers May Have Exploited Stolen Information for Trading
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

SEC: Hackers May Have Exploited Stolen Information for Trading

A 2016 incident may have provided the basis for illegal gain via trading.

In a statement on cyber security released on Wednesday, September 20, Securities and Exchange Commission chairman Jay Clayton announced that the agency had suffered a breach. An August 2017 investigation discovered that a 2016 security incident may have provided attackers access to information that could be exploited for illegal financial gains.

Per Clayton:

“Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.”

EDGAR is the SEC’s corporate filing system, it is used by companies to make legal filings required by the agency. EDGAR has had security incidents in the past, as well as political scrutiny. In 2014 Rep. Carolyn Maloney of New York raised concerns over the timing of public filings being made available in relation to the movement of stock prices. Then, in 2015 Sen. Chuck Grassley of Iowa asked for information regarding potential vulnerabilities to EDGAR following a high-profile hoax.

“…with respect to our EDGAR system, we face the risks of cyber threat actors attempting to compromise the credentials of authorized users, gain unauthorized access to filings data, place fraudulent filings on the system, and prevent the public from accessing our system through denial of service attacks.  We also face the risks of actors attempting to access nonpublic data relating to our oversight of, or enforcement actions against, market participants, which could then be used to obtain illicit trading profits.”

That appears to be what occurred in this case. The SEC has been facing a number of questions about its security posture of late. In July the Government Accountability Office issued a 27-page report outlining problems with the SEC’s information systems. At issue was the agency’s “controls for protecting confidentiality, integrity, and availability.” The report also outlined issues with intrusion detection and a lack of encryption in some areas.

While it may not be accurate to call the Government Accountability Office’s report prescient – it was technically written after the incident occurred – but it certainly did seem to foretell what the SEC would discover in its August investigation.

Obviously, exploiting illegally accessed information for personal gain is considered insider trading. But this represents an emerging area of concern when it comes to cyber crime. In 2015, the SEC brought the very first insider trading case of this nature against a group of traders that were using Ukrainian hackers to access the networks of press release companies like Newswire. The traders then used the information contained in yet-unreleased press releases to place trades, which the SEC alleged made them over $100-million dollars.

Given the type of information the SEC collects, it is a prime target for hackers.

There are certain types of sensitive data that we must obtain from market participants in order to fulfill our mission.  When determining when and how to collect data, it is important that we regularly review whether our related data protections are appropriate in light of the sensitivity of the data and the associated risks of unauthorized access.

That’s probably an understatement.

What we Hashed Out (for skimmers)

Here’s what we covered in today’s discussion:

  • The Securities and Exchange Commission issued a statement on Wednesday that disclosed a security incident that was discovered in August.
  • The incident, which took place in 2016, may have allowed unauthorized access to information that could be exploited for financial gain via trading.
  • Hacking to steal information to use for insider trading is an emerging cyber threat that the SEC must prepare for.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.