The hack of the Securities and Exchange Commission's corporate filing database likely involved Eastern European criminals who may have been perusing market-moving information stored in the regulator's network for months, according to two people with knowledge of the matter.
It was during a routine maintenance check of the SEC's Edgar system that the agency discovered how long intruders might have had access to company secrets, said one of the people, who asked not to be named to discuss findings about the 2016 hack that haven't been disclosed.
Edgar is best known as a massive repository where firms inform investors about everything from their earnings to top executives' share sales. But the aspect of the database that was hacked is largely under the radar and houses test filings that are never meant to be released publicly.
(More: SEC hack a result of letting companies practice on Edgar filing system)
While examinations of the breach are ongoing, there are signs the attack could have been part of a broader intrusion aimed at other government agencies or data troves maintained by private companies, the person said. SEC Chairman Jay Clayton has said the regulator is working with appropriate authorities and that the incident was reported to the Department of Homeland Security.
Chris Carofine, a spokesman for Mr. Clayton, declined to comment, while Homeland Security referred questions to the SEC.
Safeguarding Data
The breach has embarrassed the SEC by casting doubt on its ability to safeguard data that fuel billions of dollars in daily financial transactions. And since the agency is responsible for policing insider trading, there's a certain irony in its disclosing that crooks may have profited from information they stole from the regulator.
The SEC first revealed the intrusion in September, saying the hackers took advantage of a software weakness within the corner of Edgar where companies can practice submitting filings. The agency said the vulnerability was quickly patched, but that hackers were still able to exploit it to obtain nonpublic information.
The dummy forms allow startups to become comfortable with the SEC system, while enabling more-established corporations to make sure their disclosures format correctly. The regulator has cautioned companies to be careful about what they put in test announcements, but securities lawyers and executives have said it's not uncommon for the filings to include sensitive data that can move share prices.
Other than saying that the hack took place last year, the SEC hasn't provided a precise timeline, explained how the breach was discovered or laid out all it did to try to contain the fallout.
SEC officials first became aware something was amiss, one of the people said, when the regulator started getting indications that an unusual source was trying to access its Edgar test system. Of particular concern: The attempts appeared to be coming from Eastern Europe and from outside the SEC's firewall, which monitors and controls incoming network traffic, the person said.
It wasn't until much later that the full scope of the problem became clear when technology officials took the Edgar test system offline to make sure it was functioning properly. At that point, they found signs that hackers may have had unfettered access to dummy filings for several months, the person said.
The SEC enforcement division, which investigates illegal trading, is now examining whether there was any suspicious buying and selling ahead of company announcements that were first disclosed in nonpublic test filings.
Mr. Clayton, who took over as SEC chairman in May, has said he didn't become aware of the hack until August. He has also said he has no reason to believe the incident was reported to former Chair Mary Jo White, who stepped down in January. Ms. White has declined to comment on the breach.
(More: SEC reveals further damage from Edgar hack)