(Bloomberg) -- The hack of the U.S. Securities and ExchangeCommission’s corporate-filing database likely involvedEastern European criminals who may have been perusing market-movinginformation stored in the regulator’s network for months,according to two people with knowledge of the matter.

It was during a routine maintenance check of the SEC’s Edgarsystem that the agency discovered how long intruders might have hadaccess to company secrets, said one of the people who asked not tobe named to discuss findings about the 2016 hack that haven’t been disclosed.

Edgar is best known for being a massive repository where firmsinform investors about everything from their earnings to topexecutives’ share sales. But the aspect of the database that washacked is largely under the radar and houses test filings that arenever meant to be released publicly.

While examinations of the breach are ongoing, there are signsthe attack could have been part of a broader intrusion aimed at other governmentagencies or data troves maintained by private companies, the personsaid. SEC Chairman Jay Clayton has said the regulator is workingwith appropriate authorities and that the incident was reported tothe Department of Homeland Security.

Chris Carofine, a spokesman for Clayton, declined to comment,while Homeland Security referred questions to the SEC.

Safeguarding data

The breach has embarrassed the SEC by casting doubt on itsability to safeguard data that fuels billions of dollarsin daily financial transactions. And since the agency isresponsible for policing insider trading, there’s a certain ironyin it disclosing that crooks may have profited from informationthey stole from the regulator.

The SEC first revealed the intrusion in September, saying thehackers took advantage of a software weakness within the corner ofEdgar where companies can practice submitting filings. The agencysaid the vulnerability was quickly patched, but that hackers werestill able to exploit it to obtain nonpublic information.

The dummy forms allow startups to get comfortable with the SECsystem, while enabling more-established corporations to make suretheir disclosures format correctly. The regulator has cautionedcompanies to be careful about what they put in test announcements,but securities lawyers and executives have said it’s not uncommonfor the filings to include sensitive data that can move shareprices.

Other than saying the hack took place last year, the SEC hasn’tprovided a precise timeline, explained how the breach wasdiscovered or laid out all it did to try to contain thefallout.

Something amiss

SEC officials first became aware something was amiss, one of thepeople said, when the regulator started getting indications that anunusual source was trying to access its test Edgar system. Ofparticular concern: the attempts appeared to be coming from EasternEurope and from outside the SEC’s firewall, which monitors andcontrols incoming network traffic, the person said.

It wasn’t until much later that the full scope of the problembecame clear when technology officials took the test Edgar systemoffline to make sure it was functioning properly. At that point,they found signs that hackers may have had unfettered access todummy filings for several months, the person said.

The SEC enforcement division, which investigates illegaltrading, is now examining whether there was any suspicious buyingand selling ahead of company announcements that were firstdisclosed in nonpublic test filings.

After initially saying that it didn’t think anyone’s personalinformation was compromised, the SEC said in early October thathackers had accessed two people’s private data including names,dates of birth and Social Security numbers. The individualsinvolved were two corporate officers who had included theinformation in dummy filings, according to the person.

Clayton, who took over as SEC chairman in May, has said hedidn’t become aware of the hack until August. He’s also said he hasno reason to believe the incident was reported to former Chair MaryJo White, who stepped down in January. White has declined tocomment on the breach.

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.