SEC admits 2016 breach exposed personally identifiable information
The Securities and Exchange Commission announced Monday that the personal information of two people had been compromised in a database breach announced last month. The announcement reverses Chairman Jay Clayton’s previous statements about whether the breach exposed anyone’s personal information.
“The ongoing staff investigation of the 2016 intrusion has now determined that an EDGAR test filing accessed by third parties as a result of that intrusion contained the names, dates of birth and social security numbers of two individuals,” an SEC press release published Monday notes.
The SEC said that its ongoing investigation uncovered this new information after Clayton initially disclosed the breach in a Sept. 20 statement. The agency is offering the two unidentified individuals “identity theft protection and monitoring services,” according to the aforementioned press release.
The commission has two separate, ongoing investigations into how the breach occurred and whether it resulted in illicit trading. The SEC said it is also reviewing cybersecurity practices surrounding EDGAR, its other databases and the agency in general. “This effort includes assessing the types of data the SEC takes in through the EDGAR system, and whether EDGAR is the appropriate mechanism to obtain that data,” the release said.
Clayton announced the breach into the EDGAR database last month in a lengthy written statement about cybersecurity at the SEC. The breach has raised concerns that the attackers used it to engage in insider trading, since EDGAR contains corporate disclosures that are not always immediately public. Clayton said in that statement that the SEC believes “the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”