Criminal hackers may have gained access to personal information belonging to two individuals during the 2016 breach of the Securities and Exchange Commission’s Edgar online filing system, the SEC said on Monday.
The commission did not identify or describe the affected individuals, whose names, dates of birth and social security numbers were compromised during the cyber attack, but said it was offering them credit monitoring and identity protection assistance.
SEC chairman Jay Clayton disclosed the 2016 incident on September 20, saying that commission officials discovered in August that the hackers may have used the information in the Edgar system to make illicit gains. Mr Clayton learned the additional details about the two individuals only on Friday, the commission said.
“The 2016 intrusion and its ramifications concern me deeply,” Mr Clayton said. “I am focused on getting to the bottom of the matter and, importantly, lifting our cyber security efforts moving forward.”
The commission notably did not rule out the possibility that additional individuals may have been victimised in the Edgar breach, describing its investigation as ongoing.
Mr Clayton, who has asked the SEC’s inspector general and general counsel to launch separate evaluations of the commission’s handling of the 2016 episode, is certain to face tough questions on Wednesday during scheduled testimony before the House financial services committee.
Along with the internal probes, the commission’s enforcement unit is investigating the potential illicit trading that resulted from the cyber attack while other SEC staffers are developing potential upgrades to an ongoing Edgar modernisation.
“The agency has added, and expects to continue to add, additional resources to these efforts, which are expected to include outside consultants, and will increase the focus on cyber security matters,” the SEC said.
Shortly after taking office on May 4, Mr Clayton ordered a broad cyber security offensive, which includes a review of all systems, including the planned consolidated audit trail database, that contain market sensitive data or personally identifiable information.
SEC officials also plan exercises to test the commission’s reaction to cyber security incidents and Mr Clayton has ordered the “immediate hiring” of additional cyber experts.
But John Stark, the former head of the SEC’s office of internet enforcement, criticised the lack of any independent probe of the agency’s performance and called the emergency hiring plans “more pipe dream than reality”.
US government hiring procedures mean it will take several months or perhaps more than a year to bring new talent onboard. “The private market for cyber security personnel currently offers double or even triple the compensation and benefit packages that the SEC can offer,” said Mr Stark.