SEC owns up to 2016 breach

A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

SEC Chairman Jay Clayton
 

SEC Chairman Jay Clayton disclosed news of a 2016 breach of a critical financial data system.

 A key government financial database of was breached in 2016, said the Securities and Exchange Commission. In a Sept. 20 release, the SEC announced that a previously detected breach may have given hackers the opportunity to benefit financially through insider trading.

The breach was linked to a software vulnerability in the SEC's EDGAR system. EDGAR, short for Electronic Data Gathering Analysis and Retrieval, is a critical financial data system, collecting financial reports and disclosures from public companies.

The disclosure was made in a long "statement on cybersecurity" from SEC Chairman Jay Clayton.

 The SEC said the vulnerability was "patched promptly after discovery" but it does not say how long the vulnerability went undetected by agency IT personnel or contractors.

The flaw was exploited by hackers, and according to SEC, "resulted in access to nonpublic information." The statement also said that they believed the breach, "did not result in authorized access to personally identifiable information, jeopardize the operations of the Commission or result in systemic risk."

EGDAR is very old, even by government website standards. Though there have been software updates, new functionality added and hardware refreshes over the years, the current system dates back to 2001. According to a June 2016 solicitation for an EDGAR redesign, the system is "overly complex, expensive to operate, and more difficult to efficiently evolve."

The number of submissions to EDGAR has tripled over the last decade, and submission size had more than doubled. The system is processing four times more data than it did 10 years ago. Additionally, the system has been modernized to accept structured data filings in XML and XBRL form.

According to contracting documents from 2016, five separate security codes govern access to EDGAR services. Authorized users are assigned a 10-digit central index key, which is used in conjunction with a login password and an eight-character alphanumeric code that confirms the owner of the index key. Passwords can be changed by use of an eight-character alphanumeric code. There is also an eight character passphrase that can be used in conjunction with the central index key to change the confirmation code, the password and the password medication code.

The SEC is investigating the matter with "appropriate authorities" but did not specify which agencies are involved.