Hackers broke into an SEC database and made millions from inside information, says DOJ

By Kate Fazzini, Liz Moyer

The U.S. Securities and Exchange Commission in Washington, D.C.
The U.S. Securities and Exchange Commission in Washington, D.C.

Federal prosecutors are set to unveil charges in an international stock trading scheme that involved hacking into the Securities and Exchange Commission's EDGAR corporate filing system.

The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia and Ukraine. Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information, according to Reuters. Some of those filings were "test filings," which corporations upload to the SEC's website.

A press conference was scheduled for Tuesday morning. The charges are set to be announced by New Jersey U.S. Attorney Craig Carpenito alongside the SEC, the Federal Bureau of Investigation and the U.S. Secret Service, which investigates financial crimes.

The scheme involves seven individuals and operated from May to at least October 2016. Prosecutors said the traders were part of the same group that previously hacked into newswire services.

In September 2017, SEC chairman Jay Clayton announced the EDGAR database had been hacked in a lengthy statement. The Commission said the database was penetrated in 2016 but the incident wasn't detected until August 2017.

"Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic," Mr. Clayton said at the time. "We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery."

According to U.S. Attorney Craig Carpenito, U.S. Attorney for the District of New Jersey speaking in a press conference Tuesday, the thefts included thousands of valuable, private business documents. "After hacking into the EDGAR system they stole drafts of [these] reports before the information was disseminated to the general public," he said.

Those documents included quarterly earnings, mergers and acquisitions plans and other sensitive news, and the criminals were able to view it before it was released as a public filing, thus affecting the individual companies' stock prices. The alleged hackers executed trades on the reports and also sold them to other illicit traders. One inside trader made $270,000 in a single day, according to Carpenito.

The hackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where the either used it or distributed the data to other criminals, Carpenito said. The EDGAR service operates in New Jersey, which is why the Justice Department office in Newark was involved in the case.

Stephanie Avakian, co-head of the SEC's Division of Enforcement, said the same criminals also stole advance press releases sent to three newswire services, though she didn't name the newswires. The hackers used multiple broker accounts to collect the illicit gains, she said.

The two hackers indicted have not yet been arrested. Carpenito would not say where the Justice Department thinks the individuals may be residing.

Also at the time, the incident sparked fears over the SEC's Consolidated Audit Trail database, known as CAT. The CAT was meant to record every trade and order -- either stock or option -- made in the U.S., with the goal of providing enough data to analyze for detecting market manipulations and other malicious behavior.

Full implementation of the CAT has been plagued by delays, with equities reporting now scheduled to begin in Novembet 2019. The New York Stock Exchange has asked the SEC to consider limiting the amount of data collected by the CAT, which would include data on around 58 billion daily trades, as well as the personal details of individuals making the trades, including their social security numbers and dates of birth.