The U.S. Securities and Exchange Commission disclosed Wednesday that its internal systems had been compromised, with hackers using the stolen data to partake in insider trading.

The hack, which took place in 2016 but was only detected in August, involved the EDGAR SEC corporate reporting network that contained information ranging from statements on mergers and acquisitions, quarterly earnings and other information that was not publicly known at the time it was filed.

In a statement, the SEC said that the hack occurred because of a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery. “It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk,” the SEC added.

John Suit, chief technology officer at data protection firm Trivalent Inc., explained to SiliconANGLE that “this breach, announced only two weeks after the hefty Equifax breach, is yet another example of the growing trend of cyberattacks on organizations with sensitive information and demonstrates that everyone is vulnerable. While the security patch may have been repaired shortly following the incident, the damage was substantial.”

Along with its unprecedented nature, the hack breached a number of serious issues. “The SEC’s statement is remarkable for a number of reasons and might suggest that the agency is considering changes in a number of approaches, from data collection to vendor risk management to regulatory oversight,” Jake Olcott, former legal advisor to the Senate Commerce Committee and current vice president at security ratings firm BitSight Technologies Inc., told SiliconANGLE. “Though the disclosure lacks specifics around the damage caused by the incident, the thoroughness of the descriptions of its efforts to secure its own systems, the standards it follows, and the involvement of external third parties is unique for a government agency. It seems like the SEC is ‘tasting its own medicine’ with respect to cyberdisclosure — something that other agencies should follow.”

More needs to be done, though. Tony Gauda, chief executive officer and co-founder of ThinAir Labs Inc., said that “global visibility to when people access information is critical to enterprises and agencies that are trusted to safeguard that information. Breaches like this will continue to happen until organizations treat information with as much importance as you do gold and other physical assets.” He added that the security industry needs better business “impact quantification, for all parties to understand the actual value of information. One of the shortfalls of today’s approaches and detection tools is the lack of impact assessment.”

Indeed, it’s essential to keeping fighting back against hackers, security experts said. Chester Wisniewski, principal research scientist at Sophos Group plc explained that “while it may seem impossible to keep data secure with all of the breaches we hear about in the news, it is a battle worth fighting.”

“We should always do everything we can to prevent attacks, but more importantly we should be prepared for when we can’t. We thought the six weeks delay announcing the attack at Equifax was on the slow side, but the SEC not making a determination that EDGAR files were accessed for more than 18 months shows how poorly prepared businesses really are. The ability to monitor for exploitation by keeping a close watch and having tools in place to allow a root cause analysis after a breach, will contribute to reducing the damage after an incident.”

Photo: glass_window/Wikimedia Commons