[BreachExchange] Hackers May Have Profited From SEC Corporate Filing System Attack

Thu Sep 21 10:32:18 EDT 2017

https://www.bloomberg.com/news/articles/2017-09-21/sec-says-hack-of-edgar-may-have-led-to-illicit-trading-profits

The vulnerability of governments and businesses to cyberattacks was exposed
again Wednesday when a top U.S. financial regulator said hackers had
breached its electronic database of market-moving corporate announcements,
and may have profited from the information they stole.

The hack of an aspect of the U.S. Securities and Exchange Commission’s
Edgar filing system occurred last year, the regulator said in a statement.
While the SEC has been aware of the breach since 2016, it wasn’t until last
month that the agency concluded that the cybercriminals involved may have
used their bounty to make illicit trades. The regulator disclosed the
intrusion for the first time Wednesday.

Edgar houses millions of filings on corporate disclosures ranging from
quarterly earnings to statements on mergers and acquisitions. Infiltrating
the SEC’s system to review announcements before they are released publicly
would serve as a virtual treasure trove for a hacker seeking to make easy
money.

SEC Chairman Jay Clayton said the agency’s review of the breach is ongoing
and that it’s “coordinating with the appropriate authorities.”

‘Everyone Vulnerable’

The SEC’s disclosure comes just two weeks after credit-reporting company
Equifax Inc. said it had been a victim of a hack that may have led to the
theft of personal data on 143 million Americans. With the public and
lawmakers still reeling from Equifax’s breach, the SEC intrusion is almost
certain to trigger additional questions over whether the U.S. government
can do more to protect data.

"This hack illustrates that protecting against hackers isn’t as easy as the
government sometimes expects of companies,” said  Bradley Bondi, a former
SEC attorney now in private practice. “Everyone is vulnerable at any time."

The SEC didn’t say which companies may have been impacted by the 2016
intrusion. Chris Carofine, a spokesman for Clayton, declined to comment
when asked what type of information was improperly accessed.

The breach occurred because of a software vulnerability in Edgar, the SEC
said in its statement. While the weakness was “patched promptly after
discovery,” it still resulted in hackers gaining access to nonpublic
information, according to the agency.

Security Concerns

The SEC discussed the 2016 hack in a lengthy statement by Clayton on the
agency’s cybersecurity efforts. He described some of the threats and data
that the agency routinely handles, its role in policing the online world,
and how it coordinates with other federal agencies.

While the SEC handles non-public drafts of rules and
personally-identifiable information, it said it doesn’t believe the breach
led to unauthorized access of that type of data, endangered the operations
of the agency, or resulted in “systemic risk.”

Still, Wednesday’s disclosure may heighten concerns around the Consolidated
Audit Trail, an enormous database of equity trades that is being built to
give regulators better transparency into markets and help them figure out
more quickly the causes of disruptions.

Financial firms have expressed concern about data breaches once the new
database is completed. The repository could include personal information
such as names and addresses from more than 100 million customer accounts.

The SEC has had other issues with Edgar, including people posting phony
takeover offers and other hoaxes on the system that have temporarily driven
up companies’ share prices. A number of filings are immediately posted on
Edgar when they are submitted to the database, so it’s unclear what kind of
information is kept non-public that could be a target for hackers.

‘Substantial Risks’

The SEC said it has been conducting an assessment of its cybersecurity
since Clayton took over as chairman in May. The former Wall Street deals
lawyer has discussed cyberrisks on multiple occasions in the context of the
threats public companies face and their responsibilities to protect
themselves. The SEC regulates what companies must disclose to shareholders
about breaches.

Last week, in response to a reporter’s question about the fallout from the
recent Equifax hack, Clayton said the agency was working to increase public
awareness of the “substantial systemic risks” associated with cybersecurity.

The data stolen from Equifax included Social Security numbers, drivers
license information and birth dates. Banks rely on the information that
Equifax and other credit-reporting companies provide in determining whether
consumers should get loans.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170921/9fe3d421/attachment.html>