Why the SEC hack is a really big deal
A lucrative corporate takeover is in the works. The accountants at a big company think it might go under. An embattled CEO has decided to quit.
Information like this moves stock prices — and it lives on the computer network of the Securities and Exchange Commission before it ever becomes public knowledge. Hack the network and trade the stock, and you can make easy money.
That’s what may have happened at the SEC.
The regulatory agency, whose job is to keep investors on a level playing field, says its network was hacked last year, possibly allowing intruders to make money by getting their hands on crucial financial information before everyone else.
The network is called Edgar — Electronic Data Gathering, Analysis and Retrieval. All filings that publicly traded companies are required to disclose are sorted and posted there. The hypothetical corporate disclosures listed above are just a sampling of the valuable information.
SEC officials said the problem that enabled the hack was quickly discovered and fixed. But it “resulted in access to nonpublic information” that “may have provided the basis for illicit gain through trading.” An investigation is under way.
The SEC did not disclose which documents or companies were compromised. But Edgar houses virtually all information that would be important to investors making decisions on where to put their money.
Some information, such as quarterly earnings reports, is typically announced by companies in press releases before they make formal filings with the SEC. But Edgar holds far more detailed financial information and news, including plenty that companies don’t want to announce.
The SEC did not respond to a request for comment on Thursday.
Related: SEC says hackers stole market-sensitive data
The disclosure is an embarrassment for the agency, which issued guidelines to companies in 2011 on when companies have to alert the public after they are hacked.
And the news comes amid calls for the SEC to investigate and punish the credit score service Equifax (EFX) after a hack there exposed the information of 143 million people, including sensitive financial data and Social Security numbers.
In a letter, 37 senators asked the SEC and Justice Department to investigate whether three Equifax executives broke insider trading laws when they sold large blocks of company stock. They sold after the hack was discovered but weeks before it was disclosed.
The SEC said that unlike the Equifax hack, its own breach last year “did not result in unauthorized access to personally identifiable information.” But it admitted this isn’t the first time the agency has run into problems protecting sensitive information.
A 2014 internal review found that certain SEC laptops that may have contained nonpublic information had been lost. The review also found instances in which SEC personnel had sent nonpublic information through non-secure personal email accounts.
And the agency took action in May against a person who sought to profit by posting a bogus offer on Edgar to buy Fitbit (FIT), sending the stock up about 8% on the false news.