SEC Gets Hacked, Refuses to Release Details About Just How Fucked Everything Might Be

Head of the SEC Jay Clayton being sworn in before the Senate Banking Committee during his confirmation hearing on Capitol Hill on March 23, 2017 in Washington, DC (Photo by Chip Somodevilla/Getty Images)
Head of the SEC Jay Clayton being sworn in before the Senate Banking Committee during his confirmation hearing on Capitol Hill on March 23, 2017 in Washington, DC (Photo by Chip Somodevilla/Getty Images)

The Securities and Exchange Commission (SEC) has disclosed that hackers accessed sensitive information from its systems about publicly traded companies. And while the SEC has so far been tight-lipped about what kind of fallout the hack will have, the agency acknowledges that the hackers have probably conducted trades using the information.

Advertisement

The revelation from the SEC was buried in a lengthy and otherwise boring statement late Wednesday. Titled “A Statement on Cybersecurity,” the 4,110-word statement (not including footnotes) is bizarre for both its length and its ability to say almost nothing of substance.

But it sure has a lot of generalities about “enhanc[ing] the Commission’s ability to oversee and enforce rules governing market infrastructure” and “improv[ing] resiliency when systems problems do occur.”

Advertisement

What can we pull from the statement that actually matters? Hackers accessed the SEC’s EDGAR system, which is the electronic database used to store filings from publicly traded companies. Hackers gained access at some point in 2016 and the SEC supposedly just learned about it in August of 2017. To top it all off, the hackers have probably profited from the information.

From the SEC statement:

In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities. As another example, our Division of Enforcement has investigated and filed cases against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.

And there you have it. That’s all they’ll say about the matter. For now, at least. The FBI and SEC won’t comment further and nobody is talking about why it took so long for the SEC to issue a statement, even if it didn’t have much information at all.

“The Commission will continue to prioritize its efforts to promote effective cybersecurity practices within the Commission itself and with respect to the markets and market participants it oversees,” SEC chairman Jay Clayton said in his unenlightening and boring-ass statement.

Advertisement

“This requires an ongoing, thoughtful evaluation of the data we obtain,” Clayton continued. “When determining when and how to collect data, we must continue to thoughtfully evaluate our approach in light of the importance to our mission of each type of data we receive, particularly in the case of sensitive data, such as personally identifiable and nonpublic information.”

The agency doesn’t “believe” that the intrusion resulted in access to personal information, but who on Earth actually believes that in this day and age? It’s always worse than they first believe. We’ve learned that in everything from the massive Equifax hack to the criminal operations of banks like Wells Fargo.

Advertisement

It can always get worse. That seems to be the slogan for 2017. And it doesn’t bode well for 2018.

[SEC and Wall Street Journal]

Advertisement

Matt Novak is the editor of Gizmodo's Paleofuture blog

Share This Story

Get our newsletter

DISCUSSION

Hacking into government systems is never good, but this incident - on the surface - seems like a relatively minor concern compared to the other tomfoolery going on in the world right now.

Sure, some hackers probably made a few bucks trading on inside information. That sucks, but the fact that they breached a government computer system carries a far more severe punishment than the resulting insider trading (see also: Kevin Mitnick, 5 years in federal prison; Martha Stewart, 5 months). If the breach was only in EDGAR, the potential damage to us serfs is nil - it’s pretty much just SEC paperwork and corporate filings/reports. At worst, they now have some C-level executives’ home addresses and phone numbers, but I don’t really feel sorry if any of those fuckers get their identities stolen.

I suppose the disconcerting part is that they don’t seem very sure how far the hack actually went (or they don’t want to admit it was worse than they’re suggesting).