The Australian Securities and Investment Commission has hired lawyers to check whether a glitch on its website assisted insider trading.
Until late last year, a flawed search tool allowed people to access all ASIC documents sent to any email address.
There was no identification required, so people could spy on the company research of private equity investors if they knew their email address.
ASIC has now told 770 people that their records have been forwarded to another email account.
The search history of investors could reveal which companies are being targeted for mergers, potentially giving away a competitive advantage.
Documents sent to investigative journalists — whose emails are publicly available — could reveal upcoming scandals or wrongdoing.
The glitch also provided the documents free of charge, as ASIC assumed people were searching for documents they had already paid for.
‘We do not view this as being OK’
The corporate regulator — which is responsible for stopping insider trading — is now under fire for taking months to fix the flaw.
“We do not view this as being OK,” ASIC commissioner John Price told a parliamentary inquiry.
“Just the mere fact of being able to view what searches people have done, in our view, may well constitute a breach of privacy.”
Mr Price told the inquiry that he was concerned about the prospect — however small — of insider trading.
“If someone knew another person’s email address and could see what they’ve searched, you might be able to draw inferences depending on what their profession was,” Mr Price said.
ASIC commissioner Cathie Armour said the Australian Government Solicitors would test this “from a market surveillance perspective”.
The regulator said no personal information like credit cards or contact details were compromised.
ASIC under fire for slow reaction
ASIC was first alerted to the flaw in late August by a member of the public who called to register concerns. But the complaint was not taken seriously.
An industry figure then complained on October 9, saying the flaw could be exploited, but ASIC took weeks to resolve the issue.
The search tool was not closed until November 9, when The Guardian first reported the breach, although at that stage ASIC had not accepted their error or brought in lawyers.
One of the businessmen who raised the alarm and does not want to be named, said he felt vindicated.
“I was right, but the fact that they’re concerned that there was potential for market manipulation, that in itself is the big concern I have right there,” he told the ABC.
“If there was a phone call in August months prior to me looking at it, it meant there was a huge window there.”
ASIC ‘hasn’t covered itself in glory’
Labor senator Chris Ketter is chair of Parliament’s economic references committee and said ASIC had not “covered itself in glory”.
“If there is any evidence that insider trading took place as a result of the data breaches, then I would expect ASIC to play a very strong role in ensuring prosecutions,” Senator Ketter said.
“They’re not able to tell us what went wrong, but they admit they took too long to respond.”
Associate Professor Juliette Overland, an expert in insider trading at Sydney University, said the breach was concerning but was unlikely to lead to white collar crime.
“There is potential, although I would say it is only a very small potential,” she told the ABC.
“My own view is it would be very difficult to bring insider trading proceedings against anyone on the basis of information attained this way.
“I would suspect there would be some level of awkwardness in ASIC wanting to bring proceedings against a company or person for insider trading based on information that could only be accessed due to its own glitch.”