The top regulator for U.S. financial markets says hackers may have made money from breaking into its corporate filing system and gaining access to inside information about companies.
Securities and Exchange Commission Chairman Jay Clayton disclosed in a lengthy statement late Wednesday that a hack was detected last year. The government agency learned last month that the breach "may have provided the basis for illicit gain through trading," he said.
The hackers took advantage of a software vulnerability in the SEC's EDGAR system, a vast database that holds all the documents publicly traded companies have to file with the regulator. Through the flaw, the intruders were able to obtain information that hadn't been made public, Clayton said.
EDGAR contains information about company earnings, share dealings by top executives and corporate activity such as mergers and acquisitions. Accessing that information before it's disclosed publicly could allow hackers to make money by anticipating how a share price would respond.
The vulnerability was fixed "promptly after discovery" and the SEC believes it did not "result in unauthorized access to personally identifiable information, jeopardize the operations of the commission, or result in systemic risk," Clayton added.
Related: Equifax tweets fake phishing site to concerned customers
His statement didn't provide any details about the information the hackers obtained or which companies might have been affected, but did make clear that the investigation is continuing.
The SEC is the latest high-profile organization to admit its cyber defenses have been breached. Its announcement comes about two weeks after credit reporting agency Equifax said a major hack may have exposed personal data on as many as 143 million people.
Clayton said attempts to hack the financial industry would continue.
"Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic," Clayton said.
"We must be vigilant. We also must recognize -- in both the public and private sectors, including the SEC -- that there will be intrusions, and that a key component of cyber risk management is resilience and recovery."
