The US Securities and Exchange Commission has revealed that its electronic company filings system was hacked previous year and the information may have been traded on, writes Dave Michaels for The Wall Street Journal. The cybersecurity risks there are huge; a hacker could, for example, sniff out investors' trading strategies and try to game them. While the weakness was "patched promptly after discovery", it still resulted in hackers gaining access to nonpublic information, according to the agency.
The SEC didn't say which companies may have been impacted by the 2016 intrusion.
The disclosures by the SEC raise concerns about the security of the agency's Consolidated Audit Trail (CAT) project, which is "intended to provide SROs [self-regulatory organisations] and the Commission access to comprehensive data that will facilitate the efficient tracking of trading activity across United States equity and options markets".
The SEC, like most companies, doesn't fully understand how the information in its various databases can be used.
"Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber-threat actors have managed to access or misuse our systems", he said. The SEC did not specify companies whose information may have been exposed, adding the intrusion did not expose any personally identifiable information or otherwise pose "systemic" risk.
Clayton goes on to disclose some of the potential ways the breach could have happened in the first place, including missing laptops containing nonpublic information, as well as instances where nonpublic information was transmitted through non-secured personal email accounts.
The country's top Wall Street regulator says a cyberattack previous year breached its system for storing documents filed by companies, possibly allowing hackers to make illegal profits.
"[This] is a watershed event for the American financial system and markets", Pierson told SearchSecurity.
According to Reuters, the SEC in particular had previously been pulled up by the U.S. government accountability office for failing to implement an intrusion-detection system properly, and making mistakes regarding things as basic as firewall configuration.
The mechanism of the SEC breach remains unclear.
"With any compromise, it's usually very hard to figure out what information was read and exfiltrated. It is often through piecing together multiple forms of intelligence that intent, causation, or correlation can be surmised".