
SEC Discloses Edgar Corporate Filing System Was Hacked in 2016 - k2enemy
https://www.wsj.com/articles/sec-discloses-edgar-corporate-filing-system-was-hacked-in-2016-1505956552
======
piker
Sympathy for the SEC on this one. For its faults, EDGAR is an elegant, useful
tool for disseminating a massive amount of information. In an effort to be
robust in the service of its presumably thousands of poorly-configured clients
(academia, hobbyists, day traders, etc.) it's probably trivial to mistake a
hostile act for poor programming practices. We've used this system
successfully to fuel tons of projects and only on a few occasions been rate-
limited despite numerous logic breakdowns, fork bombs, etc. resulting in
traffic spikes that would have been easily mistaken by a smaller organization
to be DoS attacks. While it's easy to say they should have been more vigilant,
they have probably been _deliberately_ permissive in the service of their
mandate. Thanks to their patience, our projects have been served. That sort of
patience probably leads to overlooking something like this.

~~~
xadhominemx
In what ways is EDGAR elegant?

~~~
piker
Well, for one, it's 34 years old and is simple enough for non-technical people
to use but robust enough for institutional use. For another, it's scaled to
accommodate 3 decades of exponential growth in public filings and regulation.
Did I mention it's 34 years old?

~~~
Harkins
I'm not sure about exponential growth in public filings (and EDGAR does not
track regulation, so it's not relevant). For example, the number of publicly
traded companies is down about 70% compared to twenty years ago:
[https://fred.stlouisfed.org/series/DDOM01USA644NWDB](https://fred.stlouisfed.org/series/DDOM01USA644NWDB)

Could you share a link showing exponential increase in the use of EDGAR?

~~~
piker
Sure. Although you should be aware that not only public companies are required
to make filings with the SEC.

Index - Q1 1994 - 3mb - [https://www.sec.gov/Archives/edgar/full-
index/1994/QTR1/form...](https://www.sec.gov/Archives/edgar/full-
index/1994/QTR1/form.idx)

Index - Q1 2017 - 45mb - [https://www.sec.gov/Archives/edgar/full-
index/2017/QTR1/form...](https://www.sec.gov/Archives/edgar/full-
index/2017/QTR1/form.idx)

~~~
hbcondo714
File sizes are also increasing because filers are adding structured data[1] to
their SEC filings. Also, most SEC Filings are now verbose HTML files instead
of plain-text files.

[1] [https://www.sec.gov/structureddata/what-is-structured-
data](https://www.sec.gov/structureddata/what-is-structured-data)

~~~
zwp
And not really exponential. Something interesting happened 2003-2004 though.
We can perhaps observe lead up to dot-bomb (1996-1999 growth) and the 2008
financial crisis.

[http://hpics.li/2e78909](http://hpics.li/2e78909)

    
    
        1994,3153191
        1995,4813587
        1996,7539137
        1997,13755958
        1998,16107028
        1999,15935643
        2000,17548021
        2001,16873202
        2002,18904001
        2003,27723307
        2004,47116841
        2005,47982675
        2006,50672891
        2007,51322342
        2008,49635521
        2009,45312542
        2010,45384720
        2011,46455461
        2012,46733150
        2013,45842099
        2014,47065954
        2015,48112988
        2016,46636963
        2017,47037415

~~~
hbcondo714
Nice breakdown! The SEC introduced some new filing requirements[1] in 2003 and
2004 that may have contributed to this.

[1]
[https://www.sec.gov/info/edgar/regoverview.htm](https://www.sec.gov/info/edgar/regoverview.htm)

------
zaroth
Breaching EDGAR and getting away with trading on the information -- and we are
learning about this now?!

To be fair, I've used EDGAR and it is <cough> very legacy. So no question it
was going to be completely compromised.

I'd say the mistake was putting non-public information on it in the first
place. The risk assessment for private data exposure was extreme.

~~~
Overtonwindow
Edgar is almost as outdated as the TESS system for patents. I'm surprised
someone hasn't "hacked" it long ago. Unfortunately, due to Sarbanes Oxley a
lot of that infrination is required to be public.

~~~
dboreham
Shouldn’t that be “Fortunately...” ?

~~~
dajohnson89
That really depends on how you feel about the disclosure requirement.

~~~
zdkl
You're gonna have to explain why one would feel negatively about public
disclosure.

~~~
ringaroundthetx
why should someone have to explain that simply because you haven't thought
about the existence of a possible other perspective.

the united states has protected trade secrets by law far longer than its been
on the transparency train.

there are reasons for that, and the corporate disclosure requirements has had
no effect on creating a "fair market"

~~~
zdkl
I was just asking for an opinion from someone in that camp.

Your answer does not give faith in your business practices, as a client or as
an investor. I suggest you work on communication, even with strangers on the
internet.

------
mobilefriendly
Congress should look at the SEC obligations for disclosure (the delay seems
wrong given the organization's mission of transparency... the SEC would
sanction a public company for a similar failure to disclose) and why the SEC
decided to wait a year to inform the public. Not disclosing the hack back in
August 2016 strikes me as a political decision by the Obama Administration to
avoid criticism during the home stretch of the election.

~~~
iamatworknow
If it was intentionally covered up by Obama's administration, why did Trump's
administration wait 9 months to make it public? Not everything has to be
politically motivated.

------
tannhaeuser
How come SEC only discloses this now? Isn't preventing insider trading a goal
of financial regulations? If so, is there a reason SEC didn't disclose it as
soon as they gained knowledge of the leak?

I think this goes to show that _any_ data collection is dangerous, even if
government thinks they're the good guys (when in fact they're naively
collecting data that could be weaponized against them very easily). The EU is
on to it as well with MiFID II granular reporting of financial market
transactions starting effectively next year.

Though I'm not sure the Brits are going to play along (where the majority of
trading happens in Europe); after all, why should they go through the trouble
of implementing MiFID/MiFIR when leaving EU anyway?

Edit: _preventing_ insider trading

~~~
HolyLampshade
Well, just because this was disclosed to the public now doesn't mean it wasn't
previously disclosed to Treasury, FINRA, the US Equity SROs, and the ESMA. The
surveillance systems surrounding almost any market center are substantial, and
can seek the sort of behavior having inside information might appear as.

~~~
tannhaeuser
That makes sense, but do we have info on whether that actually happened? Who's
overseeing the overseers? The only theory under which it would make sense to
withhold that info I can think of are criminal investigation tactics, but
there's no actual info on suspect transactions, is there?

Broadly and vaguely trusting in surveillance isn't convincing at all. The
usefulness of surveillance must be weighed and re-evaluated against risks, as
demonstrated by this incident.

~~~
HolyLampshade
I guess by surveillance I was speaking purely transactional surveillance, and
typically investigations into transactional behavior takes time, and under
certain circumstances would result in criminal prosecution (on top of any
regulatory fines/punishment).

It also takes time to coordinate investigating multiple different asset class
transactions, in the event, say, equity derivatives are used.

And no, we don’t have info on what happened and what was taken, and certainly
nothing about any regulatory investigations.

------
runesoerensen
_" The U.S. Department of Homeland Security detected five “critical” cyber
security weaknesses on the Securities and Exchange Commission’s computers as
of January"_

 _" The report’s findings raise fresh questions about a 2016 cyber breach into
the SEC’s corporate filing system known as “EDGAR.”"_

 _"... it shows that even after the SEC says it patched “promptly” the
software vulnerability after the 2016 hack, critical vulnerabilities still
plagued the regulator’s systems."_

[http://www.reuters.com/article/us-sec-cyber-weaknesses-
exclu...](http://www.reuters.com/article/us-sec-cyber-weaknesses-
exclusive/exclusive-u-s-homeland-security-found-sec-had-critical-cyber-
weaknesses-in-january-idUSKCN1BW27P)

------
mifeng
I thought EDGAR was only used to disclose public securities filings. What's
the big deal?

~~~
debacle
They likely upload the filings some time before they are released.

------
dqv
I can't see this article as its paywalled. I believe this is the actual
statement from the SEC:

[https://www.sec.gov/news/public-statement/statement-
clayton-...](https://www.sec.gov/news/public-statement/statement-
clayton-2017-09-20)

~~~
elevensies
Thanks. Here is a mirror of the article:
[http://archive.is/xsniG](http://archive.is/xsniG)

------
freefal67
As much as the UI appears dated, Edgar is consistently one of the fastest
websites I use on a daily basis. Punch in a ticker under "Fast Search" here
([https://www.sec.gov/edgar/searchedgar/companysearch.html](https://www.sec.gov/edgar/searchedgar/companysearch.html))
and click around the filings for a bit to see what I mean.

------
adamnemecek
I wonder if the hackers were from the industry or outsiders who just took
advantage of the opportunity.

~~~
jfc
Probably both. That's a pretty good-sized arbitrage opportunity.

Think about the number of people in the financial world who are looking to get
a _percentage of a second_ advantage with high-speed trading. Hard to believe
they'd pass this up if they knew about it.

------
athenot
Here's a non-paywalled version:

[https://www.nytimes.com/aponline/2017/09/21/us/ap-us-sec-
cyb...](https://www.nytimes.com/aponline/2017/09/21/us/ap-us-sec-cyber-
breach.html)

> _The Securities and Exchange Commission says its corporate filing system was
> hacked last year and the intruders may have used the nonpublic information
> they obtained to profit illegally._

This is the most problematic part.

------
1024core
Is EDGAR data publicly available, as in, can I download the archive for a
year?

~~~
et2o
Yes

------
lgats
Facebook Proxy Past Paywall [https://www.fullwsj.com/articles/sec-discloses-
edgar-corpora...](https://www.fullwsj.com/articles/sec-discloses-edgar-
corporate-filing-system-was-hacked-in-2016-1505956552)

------
yq
paywall workaround:

[https://www.facebook.com/l.php?u=https://www.wsj.com/article...](https://www.facebook.com/l.php?u=https://www.wsj.com/articles/sec-
discloses-edgar-corporate-filing-system-was-hacked-in-2016-1505956552)

