By Sarah N. Lynch and Joseph Menn
WASHINGTON/SAN FRANCISCO (Reuters) - Hackers breached the U.S. Securities and Exchange Commission's computer system last year by taking advantage of companies that used authentic financial data when they were testing the agency's corporate filing system, according to sources familiar with the matter.
The Federal Bureau of Investigation and the U.S. Secret Service have since launched an investigation into a 2016 hack into the SEC'S EDGAR system, several of those people said.
The sources spoke anonymously because it is not a public investigation.
The SEC's EDGAR system is a crucial network used by companies to file earnings reports and other material information.
Spokesmen for the FBI, the Secret Service and the SEC all declined to comment, saying they could neither confirm nor deny the existence of an investigation.
The breach occurred in October 2016 and was detected that same month. The attack appeared to have been routed through a server in Eastern Europe, according to an internal government memo describing the incident, which was seen by Reuters.
There was no evidence at the time that data had been improperly retrieved, according to one source familiar with the matter, and the issue was handled internally by the SEC's Office of Information Technology.
Only after the SEC's Enforcement Division detected a pattern of suspicious trading ahead of company public disclosures did officials go back to the agency's technology staff and ask if some companies were using authentic data when they were testing the EDGAR system, one of the people said.
The person said that "not many companies" had submitted real data that is believed to have been hacked.
The test process “is for people to submit test filings to ensure that they format correctly and don’t have submission errors," the person said.
"They normally use that right before they file their normal reports. They are supposed to use dummy data," the person said. "However, it is still supposed to be protected the same way in case they do something stupid. A couple companies did, and it wasn’t protected properly.”
SEC CHAIR TO CONFIRM PROBE
SEC Chairman Jay Clayton will confirm the enforcement division's ongoing investigation when he testifies Tuesday before the Senate Banking Committee, according to prepared testimony reviewed by Reuters.
He has also asked the SEC's Office of Inspector General to investigate the intrusion itself, the scope of non-public information that was stolen and how the SEC responded to the incident, which he said was properly reported to the Department of Homeland Security's Computer Emergency Readiness Team.
The FBI's investigation, which is being led out of New Jersey, is focusing specifically on the trading activity in connection with the breach, according to several sources.
One possibility the FBI is considering is that the SEC breach was connected to a group of hackers that intercepted electronic corporate press releases in a previous case which the FBI in New Jersey helped investigate, several of the sources said.
In that case, federal prosecutors in the New York borough of Brooklyn and New Jersey, as well as the SEC, charged an alliance of stock traders and suspected computer hackers based in the United States and Ukraine.
Clayton, who was installed as chairman in May, only learned of the 2016 breach in August through the enforcement investigation. SEC Commissioners Kara Stein and Mike Piwowar, who are the only other two sitting members of the agency at the moment, also only learned of it recently.
Some SEC enforcement attorneys not involved in the matter learned about it when they read it in the newspaper, sources said.
The delay in disclosing the hack and the months-long gap between uncovering it and discovering the potential insider trading are particularly embarrassing for an agency that has pushed companies to bolster their cyber capabilities and which investigates companies for failing to disclose breaches to investors faster.
While no company has ever been charged for flawed disclosures, the SEC has previously brought charges against brokerage firms over poor cyber security practices.
The SEC has experienced other cyber incidents in recent months.
Between October 2016 and April 2017, the SEC documented a variety of various cyber security incidents, according to one source familiar with the matter.
Reuters was not immediately able to ascertain the nature of all of the incidents, though the source said several involved EDGAR.
In one other case that was not related to EDGAR, a server being set up for SEC use had not been updated to fix known vulnerabilities, one person familiar with the matter said.
The SEC detected unauthorized communications from it. The FBI watched the traffic, which was early signalling or “beaconing” rather than the export of important information, and the hole was closed. In that case, the signal from the beacon was sent to a server in Ukraine, the person added.
The SEC has been criticized for its cyber defences. The U.S. Department of Homeland Security detected 5 "critical" vulnerabilities that needed to be fixed when it scanned a sample of the agency's computers and devices the week of Jan. 23.