Gary Gensler, the chair of the U.S. Securities and Exchange Commission (SEC), recently addressed lawmakers regarding a breach of the SEC’s X account. This breach occurred on Jan. 9 when an unknown actor performed a SIM swap attack on the SEC’s X account and published a false message claiming that the SEC had approved several spot Bitcoin ETFs. While the SEC did approve those funds on Jan. 10, the initial message was indeed fraudulent. In a letter to lawmakers, Gensler stated that the SEC takes its cybersecurity responsibilities seriously and that the Office of Legislative and Intergovernmental Affairs had briefed staff on the incident on Jan. 17.
In response to the breach, House members Patrick McHenry, Bill Huizenga, French Hill, and Ann Wagner sent a letter on Jan. 10 asking the SEC to uphold the security disclosure standards it sets for companies. They requested a response by Jan. 17, a deadline that Gensler met by providing a briefing on that date. Additionally, Senators Ron Wyden and Cynthia Lummis called on the SEC to launch an investigation into multi-factor authentication and phishing-resistant hardware tokens. Although an update on this matter was expected by Feb. 12, there has been no further communication from the SEC.
In his letter to lawmakers, Gensler outlined the timeline of the attack and provided an update on ongoing investigations. Law enforcement is currently looking into how the attacker convinced the carrier service to change the SIM card associated with the SEC’s X account and how the attacker obtained the phone number linked to the account. Gensler confirmed the breach on Jan. 9 and issued a comprehensive statement on Jan. 12. Despite previous announcements, Gensler’s letter to lawmakers remained private until it was disclosed by Politico on Feb. 8 and subsequently reported by various sources.
The breach of the SEC’s X account underscores the critical importance of cybersecurity in today’s digital landscape. The incident highlights the vulnerabilities that even government agencies face in terms of malicious attacks and underscores the need for robust security measures to safeguard sensitive information. As threats continue to evolve and become more sophisticated, it is imperative that organizations, both public and private, remain vigilant and proactive in defending against cyber threats.