U.S. lawmakers are calling for a thorough review of the Securities and Exchange Commission’s (SEC) cybersecurity preparedness following a breach that led to the unauthorized posting of market-moving information on its X account earlier this week.
On Tuesday, the SEC confirmed that its X account, formerly known as Twitter, had been briefly accessed, and a fake message claiming approval of exchange traded funds (ETFs) for bitcoin was posted. While the SEC eventually approved the first U.S.-listed ETFs to track bitcoin on Wednesday, the unauthorized post the day before caused a temporary surge in the price of Bitcoin to around $48,000, only to fall to below $45,000 minutes later.
In response to this incident, Democratic Senator Ron Wyden from Oregon and Republican Senator Cynthia Lummis from Wyoming penned a letter to the SEC on Thursday, urging an investigation into what they deemed the “SEC’s apparent failure to follow cybersecurity best practices.” X, owned by billionaire Elon Musk, confirmed the hack, attributing it to an “unidentified individual” gaining control over a phone number associated with the agency’s account. Notably, the SEC did not have two-factor authentication enabled at the time of the breach.
Two-factor authentication (MFA) is a crucial security tool that requires users to input a password and a security key sent via email or phone for account access. Wyden and Lummis emphasized the need for an investigation into the SEC’s use of MFA, particularly phishing-resistant MFA, to identify any security gaps that may still exist.
“We urge you to investigate the agency’s practices related to the use of MFA, and in particular, phishing-resistant MFA, to identify any remaining security gaps that must be addressed,” stated Wyden and Lummis in their letter.
The SEC announced earlier that it is collaborating with law enforcement agencies to investigate the cyberattack, highlighting the seriousness with which the regulatory body is treating the breach.
