US lawmakers have demanded an investigation into the hack of the Securities and Exchange Commission (SEC)’s X (previously Twitter) account final week.
Senators Ron Wyden, who sits on the Senate Intelligence Committee, and Cynthia Lummis, accused the federal company of failing to safe its social media accounts utilizing trade finest practices in a letter dated January 11, 2024.
Hackers compromised the SEC’s X account on January 10 and posted a pretend announcement concerning the approval of Bitcoin exchange-traded funds (ETFs) on safety exchanges, resulting in Bitcoin costs briefly spiking.
X’s security staff later mentioned the takeover was because of the hijacking of a telephone quantity related to the @SECGov account in a SIM-swapping assault. X additionally famous that the SEC’s account didn’t have two-factor authentication (2FA) enabled on the time the account was hacked.
This assault got here amid a wave of crypto-related X account hijacks focusing on distinguished firms, together with Mandiant, Hyundai and Certik.
Destabilizing Impact on Financial System
Wyden and Lummis wrote that given the potential for market manipulation via such hacks, the SEC’s failure to observe cybersecurity finest practices equivalent to 2FA was “inexcusable.”
They argued that the SEC ought to have used safety keys to safe their social media accounts in addition to 2FA, following latest steerage from the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA).
The choice to allow safety keys has been accessible for customers of X since 2021.
The senators mentioned: “A hack ensuing within the publication of fabric data for buyers might have vital impacts on the soundness of the monetary system and belief in public markets, together with potential market manipulation.”
“We urge you to research the company’s practices associated to the usage of MFA, and specifically, phishing-resistant MFA, to determine any remaining safety gaps that have to be addressed.”
The SEC, which launched new guidelines in 2023 mandating that publicly listed companies working within the US disclose “materials” cyber incidents inside 4 days, has been criticized for poor cybersecurity practices on a number of events in recent times, the letter famous.
This consists of an unbiased analysis in FY23 which decided that the SEC’s data safety program and practices weren’t efficient.
Wyden and Lummis have given the SEC a deadline of February 12 to supply an replace into their investigation and its cybersecurity cures.