SEC brings charges over $4m data hack
18 Jan 2019
The Securities and Exchange Commission (SEC) is charging nine defendants who hacked into the regulator’s electronic data gathering, analysis, and retrieval (EDGAR) system and extracted non-public information to use for $4m (£3.09m) of illegal trading
18 Jan 2019
The SEC has charged a Ukrainian hacker, six individual traders in California, Ukraine, and Russia, and two entities. The hacker and some of the traders were also involved in a similar scheme in 2015to hack into newswire services and trade on company information that had not yet been released to the public, which also saw millions of dollars in profit from insider dealing.
The regulator said that Ukrainian hacker Oleksandr Ieremenko turned his attention to EDGAR the following year and used the same techniques to extract files containing non-public earnings results.
SEC said he circumvented EDGAR controls that require user authentication and then obtained confidential ‘test files’, which issuers can elect to submit in advance of making their official filings to help make sure EDGAR will process the filings as intended.
Issuers sometimes elected to include non-public information in test filings, such as actual quarterly earnings results not yet released to the public. Ieremenko got hold of some of these files from SEC servers, and then passed the information to different groups of traders based in Ukraine, Russia and Los Angeles.
The information was used to trade in the narrow window between when the files were extracted from SEC systems and when the companies released the information to the public. In total, the traders traded before at least 157 earnings releases from May to October 2016 and generated at least $4.1m in illegal profits.
Steven Peikin, SEC enforcement division co-director, said: ‘The trader defendants charged today are alleged to have taken multiple steps to conceal their fraud, including using an offshore entity and nominee accounts to place trades.
‘Our staff’s sophisticated analysis of the defendants’ trading exposed the common element behind their success, providing overwhelming evidence that each of them traded based on information hacked from EDGAR.’
In a parallel action, the US attorney’s office for the district of New Jersey has announced related criminal charges.
In a statement SEC chairman Jay Clayton said: ‘This action illustrates that the SEC faces many of the same cybersecurity threats that confront exchange-listed companies, other SEC-registered entities and market participants of all types.
‘These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders. No system can be entirely safe from a cyber intrusion.
‘Here at the SEC, we recognize that we must continuously use the resources available to us efficiently and effectively to bolster our cybersecurity defences and reduce our cyber risk profile.’
Report by Pat Sweet