(Bloomberg) -- The hack of the U.S. Securities and Exchange Commission’s corporate-filing database likely involved Eastern European criminals who may have been perusing market-moving information stored in the regulator’s network for months, according to two people with knowledge of the matter.
It was during a routine maintenance check of the SEC’s Edgar system that the agency discovered how long intruders might have had access to company secrets, said one of the people who asked not to be named to discuss findings about the 2016 hack that haven’t been disclosed.
Edgar is best known for being a massive repository where firms inform investors about everything from their earnings to top executives’ share sales. But the aspect of the database that was hacked is largely under the radar and houses test filings that are never meant to be released publicly.
While examinations of the breach are ongoing, there are signs the attack could have been part of a broader intrusion aimed at other government agencies or data troves maintained by private companies, the person said. SEC Chairman Jay Clayton has said the regulator is working with appropriate authorities and that the incident was reported to the Department of Homeland Security.
Chris Carofine, a spokesman for Clayton, declined to comment, while Homeland Security referred questions to the SEC.
The breach has embarrassed the SEC by casting doubt on its ability to safeguard data that fuels billions of dollars in daily financial transactions. And since the agency is responsible for policing insider trading, there’s a certain irony in it disclosing that crooks may have profited from information they stole from the regulator.
The SEC first revealed the intrusion in September, saying the hackers took advantage of a software weakness within the corner of Edgar where companies can practice submitting filings. The agency said the vulnerability was quickly patched, but that hackers were still able to exploit it to obtain nonpublic information.
The dummy forms allow startups to get comfortable with the SEC system, while enabling more-established corporations to make sure their disclosures format correctly. The regulator has cautioned companies to be careful about what they put in test announcements, but securities lawyers and executives have said it’s not uncommon for the filings to include sensitive data that can move share prices.
Other than saying the hack took place last year, the SEC hasn’t provided a precise timeline, explained how the breach was discovered or laid out all it did to try to contain the fallout.
SEC officials first became aware something was amiss, one of the people said, when the regulator started getting indications that an unusual source was trying to access its test Edgar system. Of particular concern: the attempts appeared to be coming from Eastern Europe and from outside the SEC’s firewall, which monitors and controls incoming network traffic, the person said.
It wasn’t until much later that the full scope of the problem became clear when technology officials took the test Edgar system offline to make sure it was functioning properly. At that point, they found signs that hackers may have had unfettered access to dummy filings for several months, the person said.
The SEC enforcement division, which investigates illegal trading, is now examining whether there was any suspicious buying and selling ahead of company announcements that were first disclosed in nonpublic test filings.
After initially saying that it didn’t think anyone’s personal information was compromised, the SEC said in early October that hackers had accessed two people’s private data including names, dates of birth and Social Security numbers. The individuals involved were two corporate officers who had included the information in dummy filings, according to the person.
Clayton, who took over as SEC chairman in May, has said he didn’t become aware of the hack until August. He’s also said he has no reason to believe the incident was reported to former Chair Mary Jo White, who stepped down in January. White has declined to comment on the breach.