WASHINGTON (Reuters) - The personal information of two individuals was compromised in a recently uncovered hack of a Securities and Exchange Commission database, according to the agency’s chairman.
Chairman Jay Clayton said in a statement Monday that additional forensic analysis had found that the Social Security numbers, dates of birth, and names of two individuals were made available to the hackers after they breached the SEC’s corporate filing system known as EDGAR. The agency is reaching out to those people and offering them identity theft protection services.
Clayton had previously said no personally identifiable information had been accessed in the breach, which occurred in 2016. In his statement Monday, Clayton said the agency was still working to determine if additional individuals’ information may have been compromised.
In addition, Clayton said the SEC is immediately hiring additional staff and outside technology consultants to review and improve its existing cybersecurity policies and practices.
The agency is also reviewing its use of EDGAR, including reviewing the types of data companies can submit to it, as well as whether that database is the appropriate mechanism for gathering that sort of information.
Clayton said the agency is committing more resources to its efforts to modernize EDGAR, and expects to commit even more in the future.
He added that there are five separate reviews under way at the SEC following the hack. The Office of Inspector General, Division of Enforcement, and Office of General Counsel are all conducting separate probes into the hack, while the agency is also reviewing EDGAR and its cybersecurity in general.
However, Clayton cautioned that there could be “substantial time” before those reviews are complete.
Reporting by Pete Schroeder; Editing by Chizu Nomiyama and Andrea Ricci