SEC Discloses Hackers Penetrated EDGAR, Profited in Trading

Chris Woodyard, writing for USA Today: Hackers made their way into the Security and Exchange Commission's EDGAR electronic filing system last year, retrieving private data that appear to have resulted in "an illicit gain through trading," the agency said. It was only in August that the commission learned that hackers may have been able to use their illegal activities to make ill-gotten gains through market trading, said Chairman Jay Clayton in a lengthy statement posted on the SEC's website. EDGAR, which stands for Electronic Data Gathering Analysis and Retrieval, is considered critical to the SEC's operation and the ability of investors to see the electronic filings of companies and markets. The SEC says about 50 million documents are viewed through EDGAR on a typical day. It receives about 1.7 million filings a year.

Assumption

[Archangel Michael]

Lets just assume that everything has been hacked, and proceed from there.

Because if it hasn't been hacked, then it will be. And if you think you haven't been hacked, you probably already have been.

This is the safest assumption of all, and is more than likely to be accurate at some point.

Re:

[Wootery]

Combined with severe and possibly violent, example-setting punishments

Yes yes, this will be the time that barbaric punishments will finally work as effective deterrents, right?

You ACs and your poorly-thought-out ideas.

Re:

[Qzukk]

But with AI we can finally unleash the full force of Roko's Basilisk on them and tell hackers that the AI will torture a simulation of themselves for billions of CPU cycles if they're caught!

Re:

[hord]

If violence isn't working, you aren't using enough of it.

Re:

[DCFusor]

Yup, and when everyone and -thing else has been hacked, I won't stand out as a target as much as before. We might even think of better ways to do ID...

Accountants

[fluffernutter]

This will just get worse and worse until organizations understand that technology is as important to their business plan as proper accounting, lawyers and paying shareholders. Up until now it seems to be an afterthought, glommed on and budgeted like office supplies.

Re:

[Archangel Michael]

This will get worse and worse until the people who are supposedly guarding the data get financially destroyed when any breach occurs, and we can start locking up hackers. And since hackers can more or less remain anonymous, locking them up is hardly a deterrent when any script kiddy can hack any system from Mom's basement.

Re:

[olsmeister]

Actually, the solution is probably to start locking up executives of companies who are found to be negligent in their data protection responsibilities.

Re: Accountants

[nehumanuscrede]

They like to use cost as an excuse for poor security. Cheapest hardware, outsourced IT personnel, and always slashing of the IT budgets. Security isn't an investment in their eyes, it's an expense. Is why they all like " The Cloud " because it offloads that responsibility onto anothers shoulders.

Not enough forward thinking to understand what happens to their stock price and / or litigation flooding when a serious breach goes public due to their negligence disguised as " cost savings ".

Start jailing the e

Re:

[Anonymous Coward]

nehumanuscrede posited:

They like to use cost as an excuse for poor security. Cheapest hardware, outsourced IT personnel, and always slashing of the IT budgets. Security isn't an investment in their eyes, it's an expense. Is why they all like " The Cloud " because it offloads that responsibility onto anothers shoulders.

Not enough forward thinking to understand what happens to their stock price and / or litigation flooding when a serious breach goes public due to their negligence disguised as " cost savings ".

Start jailing the executives of these companies and they'll start taking things more seriously.

Your analysis of the roots of executive negligence is, IMnsHO, spot on - although I would have substituted the acronym "MBAs" for "accountants" in the title of my response. After all, it's rare that a mere accountant rises to the executive suite of any significant-size corporation. MBAs, OTOH, absolutely dominate the top ranks of major corporations across the Western world. It is they, and not the accountants who work for them, who prioritize spending and set corpo

Re:

[Archangel Michael]

Just one minor complaint on your rant (most of which I agree with).

The SCOTUS ruled based on the actual law, not what people think the law ought to be. The corporate charter laws are fairly clear on the language.

The easy fix is to pass the ability to revoke corporate charters for criminal activity. Simply revoking the charter would essentially liquidate and invalidate all assets leaving the shareholders empty handed. This would effectively create a culture of ethical profits, not amoral(immoral) profits.

Re:

[torkus]

You'd be surprised how seriously the exchange take security...and how seriously the SEC pretends to.

The SEC regularly audits...and digs into all kinds of inane, improbable scenarios while often ignoring gaping holes. Their auditors are usually far more interested in finding 'something' that suits the current trend then an actual look at overall security. I've been through the process with them myself more than once and it's a comical game of 'what if'

What if a hacker stole a terminal
It has a password
What

Re:

[gidzero]

Until we realize that building secure systems is actually really hard, and we can't just glob on security. There is more to security then making sure systems are updated regularly, audits are performed, and absurd password requirements are met. The GAO report on the SEC's systems (https://www.gao.gov/assets/690/686192.pdf) had these 2 recommendations: (1) Maintain up-to-date network diagrams and asset inventories in the system security plans for GSS and a key financial system to accurately and completely

Re:Accountants

[Rob Riggs]

The information security professionals should define security standards, security auditing standards, and security reporting standards, much like we have in the financial realm, for all publicly traded companies. And they should lobby the SEC and Congress to mandate that these be filed with them just like quarterly financial statements. Actually, its far more likely that we can get the Europeans on board with this, and then it will eventually trickle down to the US.

Commander Adama didn't connect to the network...

[MikeDataLink]

Commander Adama in BSG had the solution to all of this! Pull the plug on the network connection!

Aren't filings on edgar public?

[fortfive]

What could a trader gain by hacking into it?

Re:

[Anonymous Coward]

One possibility they're submitting stuff that appears to be coming from the company, but really isn't.

This came up about two years ago regarding a fake company trying to acquire a real company, sending shares soaring like 20%...

Re:Aren't filings on edgar public?

[chill]

Not everything in EDGAR is public. Some items are submitted to EDGAR in advance of actions, and aren't released to the public until later, on a set schedule.

Those items can be used for frontrunning trades, and are essentially "insider information".

Re:

[BlueStrat]

Those items can be used for frontrunning trades, and are essentially "insider information".

But those in Congress can profit from "frontrunning" stock trading using their "insider information", it's only fair that others can as well, right?

Strat

Re:

[BlueStrat]

Wow, modded 'Troll' for dissing Congress, as low as their approval polls have been?

Must be some bored Congresscritters or their staff are trolling Slashdot comments in between passing Acts and laws selling-out the US population and exempting themselves from insider stock trading laws.

Strat

My bet

[fubarrr]

I bet that what they are talking about refers to people being able to see company's statements earlier than their nominal publication date. No hacking was required, that just had to make up a URL parameter

It will not get better any time soon

[Anonymous Coward]

The SEC has really been focusing on security the last few years which is good in some ways, pointless in others, and dangerous at the same time. What auditors always want is documentation. If you create some really nice documentation then they are happy. I have never seen any real meaningful attempt to validate security by SEC or auditors. Some clients really try but they just want indemnification. One thing about the documentation is that if you create complete and accurate documentation and provide to the

Mattresses and buried coffee cans

[Rick Schumann]

Are we approaching the point where the only way your money and valuable personal information is only safe if it's stuffed under your mattress or buried in a coffee can in your yard somewhere? i'm only half kidding.

Re:

[torkus]

Two people can keep a secret if one of them is dead, and the other doesn't have internet.

Government/Government Entity

[oldgraybeard]

The truth is if anyone wants something to get out to the public have a government/government entity collect and centralize all the sensitive information in order to protect it.

And BAM! it is in the WILD!! ;) lol

Trace the Money?

[bill_mcgonigle]

Let's see them trace the money to prove who the criminals are.

Many states are saying cryptocurrencies need to be regulated by them so that crimes can be traced, like fiat money.

Let's see the crime-fighting performance on this USD alt-coin, then.