The U.S. Securities and Exchange Commission said Monday that the hackers who broke into its corporate filing system last year accessed two people’s personal information, a change from the agency’s previous assessment that it didn’t believe such data had been compromised.
The breach of the SEC’s Edgar database, which was first made public last month, led to the disclosure of names, dates of birth and Social Security numbers, the regulator said. The SEC didn’t provide details on whose personal data was stolen, including whether they were agency employees.
“Staff are reaching out to the two individuals to notify them and offer to provide them with identity theft protection and monitoring services,” the SEC said. Should the SEC determine that other people’s data was stolen, it will “contact them and offer them identity protection and monitoring as well,” the regulator added.
SEC Chairman Jay Clayton didn’t learn that personal information was stolen until Sept. 29, the regulator said. Clayton had previously said that he didn’t think hackers had accessed such data, which could be used for identity theft.
Since disclosing the incident on Sept. 20, Clayton has come under mounting pressure from lawmakers to provide additional details about the 2016 intrusion. The SEC has said that it believes the hackers may have accessed market-moving information that they traded on, and that its enforcement division is investigating the incident.
In addition to that probe, the SEC has said its inspector general and general counsel are conducting reviews of the incident. On Monday, the agency said that it planned to spend more money to modernize its Edgar system and increase its focus on cybersecurity.
Also on Monday, the SEC general counsel’s office sent an email to staff and contractors directing them to retain any documents related to the breach, according to two people familiar with the demand who asked not to be named because it wasn’t public. The notice indicated that the SEC expects inquiries from lawmakers and other government agencies over the matter, said one of the people.
SEC spokeswoman Judith Burns declined to comment on the email.