SEC computer system hacked despite warnings on security

The federal agency responsible for ensuring that markets function properly and for protecting investors is under fire after disclosing its computer system was hacked despite repeated warnings about deficiencies in its cybersecurity measures.

The Securities and Exchange Commission said late Wednesday that it discovered a breach to its corporate filing system last year but only became aware last month that information obtained by the attackers may have been used for illegal trading gains.

The agency did not explain why the initial hack was not revealed sooner, or which individuals or companies may have been impacted. The disclosure arrived two months after a government watchdog said deficiencies in the SEC’s filing system put the system, and the information it contains, at risk.

The hack was disclosed by SEC Chairman Jay Clayton in a statement posted to the agency’s website and comes just two weeks after credit agency Equifax revealed a cyberattack there had exposed highly sensitive personal information of 143 million people.

MBA BY THE BAY: See how an MBA could change your life with SFGATE's interactive directory of Bay Area programs.

Clayton is scheduled to appear Tuesday before the Senate Banking Committee. Sen. Mark Warner, D-Va., a member of the committee, said in a statement Thursday that the disclosures by the SEC and Equifax show “that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information.”

Clayton said in the statement that a review of the agency’s cybersecurity risk profile determined that the previously detected incident was caused by “a software vulnerability” in its filing system known as Edgar, short for electronic data gathering, analysis, and retrieval system. It processes more than 1.7 million electronic filings in any given year. Those documents can cause enormous movements in the market, sending billions of dollars in motion in fractions of a second.

Clayton said the SEC has been conducting an assessment of its cybersecurity since he took over as chairman in May. Experts note, however, that both agency and congressional investigators have been critical of the SEC’s handling of its information technology security for years.

Early this decade, the SEC inspector general’s office uncovered security lapses involving staffers who examined the data-protection systems of the stock exchanges. Some of the staffers used unencrypted laptops to store sensitive exchange information — and then carried the laptops to a Las Vegas conference for information security professionals that is known to attract hackers. The 2011-12 investigation raised concerns of a potential breach of the exchanges’ information.

David Weber, a professor at the University of Maryland’s business school and a former assistant SEC inspector general, worked on that probe. The agency “clearly has not held itself to the same standard that it expects regulated companies to adhere to” and “needs to up its game,” he said in an interview Thursday.

In 2015, an impostor slipped through the Edgar system with a bogus $8 billion takeover bid for Avon Products. The stock rocketed 20 percent, but it quickly dropped, burning anyone who’d bought shares of the cosmetic giant at pumped-up prices. The SEC later sued a Bulgarian investor for allegedly orchestrating bogus acquisition bids for Avon and two other companies.