The US Securities and Exchange Commission has announced that its electronic data gathering, analysis and retrieval (EDGAR) test filing system was breached last year, adding that information that leaked could have been used for insider trading.
The announcement comes a little more than a fortnight after US credit information provider Equifax disclosed a leak that involved the details of 143 million consumers.
The EDGAR database stores information and documentation from official company filings and past financial records.
In a statement, the SEC said the breach has taken place in 2016, but it was only in August that it became aware that this breach may have provided the basis for insider trading.
{loadposition sam08}"Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to non-public information," the statement said.
"It is believed the intrusion did not result in unauthorised access to personally identifiable information, jeopardise the operations of the Commission, or result in systemic risk. An internal investigation was commenced immediately at the direction of the chairman."
SEC chairman Jay Clayton said: "Cyber security is critical to the operations of our markets and the risks are significant and, in many cases, systemic." Alongside the statement about the breach, Clayton also issued a long and rambling public statement on cyber security.
The statement also outlined the management of internal cyber security risks, including the incorporation of cyber security considerations in disclosure-based and supervisory efforts, coordination with other government entities, and the enforcement of the federal securities laws against cyber threat actors and market participants that do not meet their disclosure obligations.
Clayton said: “By promoting effective cyber security practices in connection with both the Commission’s internal operations and its external regulatory oversight efforts, it is our objective to contribute substantively to a financial market system that recognises and addresses cyber security risks and, in circumstances in which these risks materialise, exhibits strong mitigation and resiliency.”
Commenting on the breach, John Suit, the chief technology officer at Trivalent, a provider of next generation data protection, said: "This breach, announced only two weeks after the hefty Equifax breach, is yet another example of the growing trend of cyber attacks on organisations with sensitive information, and demonstrates that everyone is vulnerable.
"While the security patch may have been repaired shortly following the incident, the damage was substantial. The only way to truly prevent a cyber attack of this immense size is to adopt next generation data protection that secures data at the file-level, keeping it safe from unauthorised users – even in the event of a breach.”