The U.S. Securities and Exchange Commission said Monday that the hackers who broke into its corporate filing system last year accessed two people's personal information, a change from
the agency's previous assessment that it didn't believe such data had been compromised.
The breach of the SEC's Edgar database, which was first made public last month, led to the disclosure of names, dates of birth and Social Security numbers, the regulator said.
The SEC didn't provide details on whose personal data may have been stolen, including whether they were agency employees. SEC Chairman Jay Clayton had previously said the regulator didn't think hackers had accessed such information, which could be used for identity theft. Mr. Clayton learned Sept. 29 that personal data was breached, the agency said.
(More: SEC creates cyber unit to eye firms and task force for investor protection)
"Staff are reaching out to the two individuals to notify them and offer to provide them with identity theft protection and monitoring services," the SEC said. Should the SEC determine that other people's data were stolen, it will "contact them and offer them identity protection and monitoring as well," the regulator said.
Since disclosing the incident on Sept. 20, Mr. Clayton has come under mounting
pressure from lawmakers to provide additional details about the 2016 intrusion. The SEC has said it believes the hackers may have accessed market-moving information that they traded on. The SEC has said its enforcement division is investigating the incident.
