The U.S. Securities and Exchange Commission (SEC) revealed that a 2016 data breach of its EDGAR filing system may have "provided the basis for illicit gain through trading." The commission said that the intrusion didn't compromise any personal information, but it did offer access to companies' private documents, and the hackers could have used that ill-gotten information to give themselves an edge over other investors.
EDGAR is an SEC tool that makes it easy to find public documents. (Or at least easier than it would be if you had to navigate a bunch of different databases yourself.) It's used primarily by investors and journalists who are looking to stay on top of developments within specific companies. The key is timing—EDGAR filings are supposed to be published at a company's discretion, and this breach offered early access to sensitive documents.
The SEC discovered the breach in 2016 and said it patched the exploited vulnerability soon after it was discovered. But the damage was done, and in a statement, the commission said it found evidence in August that the intrusion may have given someone enough data to play the markets. This raises serious questions about EDGAR's security, but the commission said companies shouldn't panic about this incident. Quoth the SEC:
Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. An internal investigation was commenced immediately at the direction of the Chairman.
These problems were discovered as part of the SEC's push to investigate its security practices to find where they could be improved. Chairman Jon Clayton released a separate statement about those efforts, and in it, he said that the "scope and severity of risks that cyber threats present have increased dramatically" and that "constant vigilance is required to protect against intrusions." That's true for pretty much everyone.
Just look at some (relatively) recent headlines. The U.S. Office of Personnel Management suffered the biggest data breach in history. Half a billion Yahoo accounts were compromised. Hacks of online game stores, dating services, and document management companies affected millions (or hundreds of millions) of people. And the cherry on top? Equifax's recent hack, which led to the disclosure of 143 million people's private data.
The government, financial companies, and pretty much anyone else with an online presence is under attack. That isn't going to change, nor is the increasing severity of these data breaches, which can be used for everything from insider trading to identity theft. Sometimes these effects will be felt right away. Other times, like with the SEC's disclosure, they'll take a while to discover. Either way, it's clear things are just getting started.
