Last month, the Securities and Exchange Commission (SEC) admitted that hackers accessed its network in 2016, but assured everyone that no one anyone’s personal information.

It turns out the hackers did access at least two people’s information: names, Social Security numbers, birthdays.

Bloomberg reported:

The SEC didn’t provide details on whose personal data may have been stolen, including whether they were agency employees. SEC Chairman Jay Clayton had previously said that the regulator didn’t think hackers had accessed such information, which could be used for identity theft. Clayton learned Sept. 29 that personal data was breached, the agency said.

“Staff are reaching out to the two individuals to notify them and offer to provide them with identity theft protection and monitoring services,” the SEC said. Should the SEC determine that other people’s data was stolen, it will “contact them and offer them identity protection and monitoring as well,” the regulator added.

The officials said the hackers received this information after they breached the EDGAR (Electronic Data Gathering, Analysis and Retrieval System) filing system, “through which publicly traded companies make public and private disclosures about their financial affairs.”

Having this information means the hackers could have made profits through trading on insider information. From The Hill:

Companies and investors send scores of forms through EDGAR on securities sales, initial public offerings, corporate financial information and structural plans. While much of the system is publicly accessible, it also contains private financial records that only regulators can see.

SEC Chairman Jay Clayton stated that the agency will hire more staff and cybersecurity employees “to review and improve its existing cybersecurity policies and practices.”

The SEC will also review EDGAR, “including reviewing the types of data companies can submit to it, as well as whether that database is the appropriate mechanism for gathering that sort of information.”

The Intrusion

Clayton took his post in May of this year. The breach took place in 2016, but Clayton did not find out until this August. The Wall Street Journal reported on September 20:

The SEC said it was investigating the source of the hack, which exploited a software vulnerability in a part of the agency’s Edgar system, a comprehensive database of filings made by thousands of public companies and other financial firms regulated by the SEC.

The commission said the hack was detected in 2016, but that regulators didn’t learn about the possibility of related illicit trading until August, when they started an investigation and began cooperating with what the SEC called “appropriate authorities.”

A day later, Reuters revealed that the Department of Homeland Security (DHS) found “five ‘critical’ cyber security weaknesses” on the SEC’s computers last January:

The January DHS report, which shows its weekly findings after scanning computers for cyber weaknesses across most of the federal civilian government agencies, revealed that the SEC at the time had the fourth most “critical” vulnerabilities.

It was not clear if the vulnerabilities detected by DHS are directly related to the cyber breach disclosed by the SEC. But it shows that even after the SEC says it patched “promptly” the software vulnerability after the 2016 hack, critical vulnerabilities still plagued the regulator’s systems. The hack, two weeks after credit-reporting company Equifax said hackers had stolen data on more than 143 million U.S. customers, has sent shockwaves through the U.S. financial sector.

A lot of people have freaked out over the Equifax hack that exposed personal information of millions of Americans, but tech lawyer Mark Grossman said that this hack is bigger than Equifax because “[I]t proves ‘even the government is hackable.'”