Jay Clayton, the Chairman of the US Securities and Exchange Commission (SEC), said on Monday that the SEC cyberattack announced by the agency last month has leaked private information of some individuals. The Chairman had previously maintained that no personal information was stolen as part of the hack.
"The ongoing staff investigation of the 2016 intrusion has now determined that an EDGAR test filing accessed by third parties as a result of that intrusion contained the names, dates of birth and social security numbers of two individuals. This determination is based on forensic data analysis conducted since the agency's Sept. 20th disclosure of the intrusion which relied on the latest information available at that time."
SEC is currently conducting five separate reviews
In a statement released today, Clayton has said that the ongoing investigation into now a year-old cyberattack has revealed that the personal data, including Social Security Numbers and birth dates, of at least two individuals was compromised. The agency is currently reaching out to the affected people and offering them identity theft protection services.
During his testimony last week, Clayton had said that no personally identifiable information was accessed in the breach. The attack was first announced last month, but had originally occurred in 2016 targeting the agency's EDGAR system potentially enabling insider trading.
"Chairman Clayton was informed by staff of this new information this past Friday, and staff are reaching out to the two individuals to notify them and offer to provide them with identity theft protection and monitoring services," the SEC statement reads.
"Should the agency’s review uncover additional such individuals whose sensitive information may have been accessed, the staff will contact them and offer them identity protection and monitoring as well."
Today's statement also added that the agency is currently conducting five infosec reviews:
- 2016 cyberattack is being reviewed by the Office of Inspector General
- A focused review of EDGAR using outside consultants
- Division of Enforcement is looking into illicit trading
- General assessment and uplift of the agency’s cybersecurity risk profile
- Internal review of 2016 EDGAR intrusion being overseen by the Office of General Counsel
Before the SEC hack disclosure, Chairman Clayton had suggested that the companies need to be more proactive when it comes to breach notifications. While it initially took the agency itself several months to notify the public of the cyberattack, SEC is now taking measures to keep the public updated about the ongoing investigations.
"The 2016 intrusion and its ramifications concern me deeply," Clayton said in today's statement. "I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward."