After the credit reporting firm Equifax revealed that the sensitive, personal financial information of perhaps 143 million Americans had been compromised by a cyber attack, some observers called for the US government to either commandeer the credit reporting function entirely or at least break the grip that Equifax, Experian, and TransUnion have on the data. But government intervention is no panacea, a point driven home last week when the Securities and Exchange Commission revealed its EDGAR filing system had been breached back in 2016.
“In August 2017, the commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading,” the SEC said. “Specifically, a software vulnerability in the test filing component of the commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.” The agency added that it believes the intrusion “did not result in unauthorized access to personally identifiable information, jeopardize the operations of the commission, or result in systemic risk.” SEC Chairman Jay Clayton directed that an internal investigation start right away, according to the agency.
Now, while both hacks are bad news (and assuming there are no more disclosures from the SEC over this cyberattack), the Equifax debacle clearly is far more significant and potentially far more damaging to a far larger segment of the population. Still, that population has much greater legal recourse than those who use the EDGAR system.
Two executives at Equifax have already been pushed into retirement and the firm faces numerous government agency investigations, as well as at least one class-action lawsuit that could reach $70 billion in penalties and damages if the organizing attorneys prevail. The SEC will likely face a few pointed questions before lawmakers and use its failure to properly secure its system as justification for more taxpayer funding.