SEC says EDGAR breach obtained personal information of 2 people

Hackers who breached the Securities and Exchange Commission's EDGAR corporate filing system in 2016 accessed a test filing that contained the names, birth dates and Social Security numbers of two people, the SEC said Monday.

The information was discovered Sept. 29 during the agency's investigation of the 2016 breach, the SEC said in a news release. The two people are being notified by SEC staff and are offering them identify theft protection and monitoring services.

Concerning the EDGAR breach, the investigation into the cyberattack is being conducted by the Office of Inspector General, while the SEC's enforcement division is looking into whether any illegal trading resulted from the breach. The SEC is also expanding how the breach was initially handled, reviewing its overall modernization efforts on the EDGAR system and conducting a broader review of the organization's cybersecurity risk profile, according to the release.

The agency also has begun hiring additional staff and outside technology consultants, the release said.

"While our review and remediation efforts are ongoing and may take substantial time to complete, I believe it is important to provide new information regarding the scope of the 2016 intrusion and provide an update on the steps we are taking to assess and improve the cybersecurity risk profile of our EDGAR system and of the agency's systems more broadly," SEC Chairman Jay Clayton said in the release.