The Securities and Exchange Commission (SEC), America's most prominent regulator, acknowledged on Wednesday that its Electronic Data Gathering, Analysis and Retrieval ('EDGAR') database of corporate filings was hacked in 2016. The admission means that the intrusion was potentially far more serious than that in April 2015, when a Bulgarian hacker uploaded a fake press release to EDGAR about Avon Products being taken private by a fictional PE group. That release prompted a 20% spike in Avon shares which was quickly unwound.
According to SEC Chairman Clayton's statement, "In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading". The incident stemmed from "a software vulnerability in the test filing component" of the EDGAR system that "was exploited and resulted in access to nonpublic information". Although the vulnerability in question "was patched promptly after discovery", the regulator has not disclosed when the loophole was introduced or how long it took to patch.
The disclosures by the SEC raise concerns about the security of the agency's Consolidated Audit Trail (CAT) project, which is "intended to provide SROs [self-regulatory organisations] and the Commission access to comprehensive data that will facilitate the efficient tracking of trading activity across US equity and options markets". CAT is due to go online in November and will give the Commission "access to significant, nonpublic, market sensitive data and personally identifiable information". This makes it an obvious - and rich - target for hackers.
Clayton is due to testify to the Senate Banking Commission next week, which should provide further information about the hacking.