Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Incident Response

SEC Says It Was Hacked in 2016

The United States Securities and Exchange Commission (SEC) said late Wednesday that it was the victim of a cyber-attack in 2016 that may have allowed hackers to profit through trading on non-public information in its EDGAR filing system.

The United States Securities and Exchange Commission (SEC) said late Wednesday that it was the victim of a cyber-attack in 2016 that may have allowed hackers to profit through trading on non-public information in its EDGAR filing system.

“In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading,” the Commission announced.

“Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” the announcement continued. 

SEC HackedAn internal investigation was commenced immediately at the direction of SEC Chairman Jay Clayton.

According to Clayton, the EDGAR system receives and processes over 1.7 million electronic filings per year.

“While we don’t have any technical details of the data breach, I would refrain from making any conclusions about its origins or attackers,” Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SecurityWeek. “The SEC statement is very obscure and may provoke speculation and rumors around it, including attempts to blame nation-states or attribute it to (in)famous hacking groups.”

While the SEC did not make any suggestion on the possible threat actor(s) behind the attack, it is certainly not the first-time attackers have targeted non-public company information that could have been used to gain insights leading to profits.

In March 2017, FireEye shared details of a cybercrime group tracked by the company as FIN7, which had been observed targeting nearly a dozen organizations in the United States, focusing on personnel that handles filings to the SEC.

In August 2015, the SEC announced that a cybercriminal group hacked into newswire services to steal non-public information about corporate earnings announcements that were used to make financial trades that generated more than $100 million in illegal profits.

Advertisement. Scroll to continue reading.

In December 2016, the SEC charged three Chinese men accused of hacking into two New York-based law firms to steal information related to clients that were considering mergers or acquisitions, which the hackers then used to trade.  

“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Chairman Clayton said in a statement. “We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

In a related statement, Clayton detailed the SEC’s approach to cybersecurity as an organization and as a regulatory body.

“This incident clearly exposes how vulnerable our global financial ecosystem is, and how unprepared we are to fight skyrocketing cybercrime,” Kolochenko added. “In the future we will see steady fusion of common crime with cyber gangs that jointly may challenge state power and dictate their laws, while law enforcement agencies are catastrophically underfinanced by governments and just don’t have enough resource to tackle global cybercrime.”

The SEC said that the 2016 intrusion “did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.” 

News of the SEC hack comes less than two weeks after credit reporting agency Equifax said it was the victim of a massive cyber-attack that exposed sensitive data on more than 143 million people. 

Related: Cybercriminals Target Employees Involved in SEC Filings

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.