Hackers Successfully Breach the “Fort Knox” of the US Financial Sector for Insider Trading
The Securities and Exchange Commission, the top markets regulator in the United States, disclosed earlier this week that criminals had infiltrated its database system that stored public company financial filings. The Commission said that it could have potentially allowed criminals to trade on that inside information. In a statement, SEC's chairman, Jay Clayton, has revealed that the agency first detected the breach a year ago. However, he added that the Commission only became aware of the possibility that this hack "may have provided the basis for illicit gain through trading" last month.
"Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information."
Following this, a confidential report from the US Department of Homeland Security reveals that its security team had detected five cybersecurity weaknesses, rated critical, on the Securities and Exchange Commission's computers back in January 23, 2017. Clayton had suggested in his report that the security vulnerability was "promptly" patched after discovery. While SEC claims to have patched things up promptly, DHS' January report tells a different story.
Cybercriminals hacked into the "Fort Knox" of SEC
Cybercriminals exploited a software vulnerability in the agency's EDGAR system (Electronic Data Gathering, Analysis and Retrieval), where companies go to submit their financial filings.
The EDGAR system is the heart of the Wall Street, as the filing system is a central repository for information on companies, that could include millions of filings, such as acquisition reports, company statements, and quarterly earnings. This treasure trove of financial information could have helped cybercriminals (and their sponsors) make easy money, as they would have potentially been able to trade on that information. Since the hackers specifically targeted, it is likely that illegal trading was their goal.
While the system allows public access to this data, it is designed to ensure that all parties get access to the same information at the same time. This means that no one can take advantage of financial data that hasn't been released to the public yet. If leaked early, it could be (and has been) used to buy or sell stocks before the information is out. Criminals could have potentially also accessed SEC's Consolidated Audit Trail (CAT) that helps determine trading patterns.
SEC says that it wasn't aware of this possibility until August, this year - almost a year after it first detected the problem and adds that personal data wasn't lost.
"We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk."
"Who watches the watchers"
The Commission has been previously pushing the Wall Street to start focusing their efforts on cybersecurity. In 2014, the SEC issued Reg SCI, a series of regulations, telling the financial sector to improve its technology infrastructure, focusing specifically on protection from cyberattacks.
The Wall Street is not happy with the irony, though, as the Commission took nearly a year to identify that it may have been responsible for insider trading. Not to forget it didn't notify the public of the breach when it originally occurred back in 2016, something it has been asking the companies to do promptly.
"It’s the same issue as Equifax, they are supposed to be the guardians of trusted information," cybersecurity expert Morgan Wright said. "The SEC is the Fort Knox for the companies, they hold all the gold, they hold all the most sensitive secrets."
The report of this hack comes only two weeks after Equifax data breach that leaked personally identifiable information of over 143 million Americans, including their Social Security Numbers. Following the breach of the top credit-reporting company, SEC breach is yet another mega cyberattack sending shockwaves through the country's financial sector.