The head of the U.S. Securities and Exchange Commission said this week that hackers accessed the SEC’s corporate disclosure database and likely profited by trading on that stolen insider information.

The hack took place in 2016, but SEC says it only discovered last month that the information may have been used to profit from equity trades.

SEC “promptly” patched the vulnerability in 2016 after detecting it, but officials claim they only realized last month the security failing “may have provided the basis for illicit gain through trading”, it said.

The bad news comes just after the credit data firm Equifax exposed the personal information of millions through shoddy security practices that left that data open to hackers, too.

How did the hackers get in? They “exploited a software glitch in the test filing component of the system to gain access to non-public information,” reports Reuters.

From Reuters:

The SEC hosts large volumes of sensitive and confidential information that could be used for insider-trading or manipulating U.S. equity markets. Its EDGAR database houses millions of filings on corporate disclosures ranging from quarterly earnings to statements on mergers and acquisitions.

“It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk,” the SEC said, adding that it was also liaising with the relevant authorities without naming them.

(…)

Cyber criminals have targeted financial information hubs before — the Hong Kong stock exchange and the Nasdaq stock exchange in New York were targeted by hackers in 2011.

But the breach at the SEC is particularly egregious because its new boss, Jay Clayton, has made tackling cyber crime one of the top enforcement issues during his tenure.

It also puts the agency under a spotlight over why the 2016 breach was not disclosed earlier. Securities industry rules require companies to disclose cyber breaches to investors and the SEC has investigated firms over whether they should have reported incidents sooner.