US lawmakers [1], including Senators Ron Wyden and Cynthia Lummis [1] [5], are calling for an investigation into the recent hack of the Securities and Exchange Commission (SEC)’s social media account on the platform X (formerly known as Twitter). This incident has raised concerns about the SEC’s cybersecurity measures and failure to follow industry best practices.
Description
The hack involved an unidentified individual gaining control over a phone number associated with the @SECGov account [5]. It was revealed that the SEC’s official account did not have multi-factor authentication (MFA) enabled at the time of the breach [5]. The senators have criticized the SEC for not implementing MFA, especially considering the agency’s new requirements for cybersecurity disclosure [5]. They are urging an investigation into the agency’s use of MFA [5], particularly phishing-resistant MFA [5], to identify any remaining security gaps [5].
Previous evaluations have identified weaknesses in the SEC’s security measures [2], particularly in protocols for preventing unauthorized access [2]. The agency’s high-profile role in regulating companies and markets has made it an attractive target for hackers [2]. In 2016 [2], the SEC suffered a cyberattack that compromised its corporate filings database [2]. The recent hack occurred at a challenging time for the SEC [2], as it has recently imposed new regulations on public companies to disclose cyber incidents [2]. The agency has also faced legal action for downplaying security risks in the SolarWinds hack [2].
While there is no evidence that the hackers accessed SEC systems or data [3], the incident has raised questions about the SEC’s cybersecurity policies and its failure to activate MFA. The SEC’s safety team has attributed the hack to a SIM-swapping attack [1]. The Office of Public Affairs promptly alerted the public of the compromise and deleted the unauthorized post [3]. The SEC is currently assessing the impact of the incident on the agency [4], investors [4], and the marketplace [4]. They are working with law enforcement and federal oversight entities to investigate the hack [3] [4].
The SEC’s inspector general has reported that the agency has made progress in implementing cybersecurity measures but is still behind on some tasks [2]. A separate evaluation found deficiencies in the SEC’s data security controls [2], partly attributed to work-from-home policies during the pandemic [2]. The SEC’s information security program has been deemed ineffective [2], and lax data security measures have previously led to the dismissal of enforcement cases [2].
Conclusion
The recent hack of the SEC’s social media account highlights the agency’s inadequate cybersecurity measures and failure to follow industry best practices. It has raised concerns about the SEC’s ability to protect sensitive information and prevent unauthorized access. The senators’ call for an investigation into the agency’s use of multi-factor authentication is crucial in identifying and addressing any remaining security gaps. The SEC’s progress in implementing cybersecurity measures is commendable [2], but there is still work to be done to ensure the agency’s data security controls are effective. The incident serves as a reminder of the ongoing threat posed by cyberattacks and the need for robust cybersecurity measures in government agencies.
References
[1] https://www.infosecurity-magazine.com/news/senators-probe-sec-hack-bitcoin/
[2] https://news.bloomberglaw.com/privacy-and-data-security/sec-had-a-fraught-cyber-record-long-before-x-account-was-hacked
[3] https://finance.yahoo.com/news/sec-statement-hack-x-account-003610019.html
[4] https://www.morningstar.com/news/dow-jones/202401127911/sec-is-assessing-whether-hack-warrants-remedial-measures
[5] https://www.wyden.senate.gov/news/press-releases/wyden-lummis-urge-investigation-into-hack-of-sec-social-media-account
