US lawmakers have demanded an investigation into the hack of the Securities and Exchange Commission (SEC)’s X (formerly Twitter) account last week.
Senators Ron Wyden, who sits on the Senate Intelligence Committee, and Cynthia Lummis, accused the federal agency of failing to secure its social media accounts using industry best practices in a letter dated January 11, 2024.
hackers compromised the SEC’s X account on January 10 and posted a fake announcement regarding the approval of Bitcoin exchange-traded funds (ETFs ) on security exchanges, leading to Bitcoin prices briefly spiking.
The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.
— U.S. Securities and Exchange Commission (@SECGov) January 9, 2024
X’s safety team later said the takeover was due to the hijack of a phone number associated with the @SECGov account in a SIM-swapping attack. X also noted that the SEC’s account did not have two-factor authentication (2FA) enabled at the time the account was hacked.
This attack came amid a wave of crypto-related X account hijacks targeting prominent companies, including Mandiant, Hyundai and Certik.
Destabilizing Impact on Financial System
Wyden and Lummis wrote that given the potential for market manipulation through such hacks, the SEC’s failure to follow cybersecurity best practices such as 2FA was “inexcusable.”
They argued that the SEC should have used security keys to secure their social media accounts as well as 2FA, following recent guidance from the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA).
The option to enable security keys has been available for users of X since 2021.
The senators said: “A hack resulting in the publication of material information for investors could have significant impacts on the stability of the financial system and trust in public markets, including potential market manipulation.
“We urge you to investigate the agency’s practices related to the use of MFA, and in particular, phishing-resistant MFA, to identify any remaining security gaps that must be addressed.”
The SEC, which introduced new rules in 2023 mandating that publicly listed firms operating in the US disclose “material” cyber incidents within four days, has been criticized for poor cybersecurity practices on several occasions in recent years, the letter noted.
This includes an independent evaluation in FY23 which determined that the SEC’s information security program and practices were not effective.
Wyden and Lummis have given the SEC a deadline of February 12 to provide an update into their investigation and its cybersecurity remediations.