January 16, 2024
Cybersecurity: More Fallout from Hack of SEC’s X Account
Last week’s compromise of SEC’s X social media account continues to attract attention from the agency, federal law enforcement and – oh goodie! – Congress. On Friday, SEC Chair Gary Gensler issued a statement on the matter, and this excerpt summarizes the SEC’s current understanding of what happened:
Based on current information, staff understands that, shortly after 4:00 pm ET on Tuesday, January 9, 2024, an unauthorized party gained access to the @SECGov X.com account by obtaining control over the phone number associated with the account. The unauthorized party made one post at 4:11 pm ET purporting to announce the Commission’s approval of spot bitcoin exchange-traded funds, as well as a second post approximately two minutes later that said “$BTC.” The unauthorized party subsequently deleted the second post, but not the first. Using the @SECGov account, the unauthorized party also liked two posts by non-SEC accounts. While SEC staff is still assessing the scope of the incident, there is currently no evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.
The statement notes that the SEC continues to assess the impacts of the hack but acknowledges that “those impacts include concerns about the security of the SEC’s social media accounts.” It goes on to state that the SEC is coordinating with an alphabet soup of federal law enforcement and oversight agencies, including its own Office of the Inspector General, the FBI, DHS and CISA.
In what may be the least surprising news of the week, politicians were quick to arrive at the scene. First out of the gate were senators J.D. Vance (R-OH) and Thom Tillis (R-NC), who lobbed in this letter to Chair Gensler on the day the incident became public characterizing it as a “colossal error” and requesting a briefing. On Thursday, senators Ron Wyden (D-OR) and Cynthia Lummis (R-WY) followed up with a letter to the SEC’s OIG criticizing the agency’s failure to adhere to cybersecurity best practices and calling for the OIG to provide the senators with an update on its investigation and the SEC’s remediation efforts by February 24th.
– John Jenkins