In a significant cybersecurity incident, an unknown actor performed a SIM swap attack on the U.S. Securities and Exchange Commission’s (SEC) X account. This breach resulted in the publication of a false message claiming the SEC’s approval of spot Bitcoin ETFs. Chair Gary Gensler addressed House members, reassuring them of the SEC’s commitment to cybersecurity and providing an update on investigations.
Following the discovery of the breach, House members Patrick McHenry, Bill Huizenga, French Hill, and Ann Wagner raised concerns about the SEC’s security disclosure standards. They urged the SEC to hold itself accountable to the same standards it imposes on companies. The lawmakers set a deadline of January 17 for a response from the SEC.
Gensler’s Letter
Chair Gary Gensler responded to the lawmakers’ concerns in a letter, emphasizing the SEC’s dedication to addressing the cybersecurity breach promptly. Gensler assured the lawmakers that the SEC takes its cybersecurity obligations seriously. He also mentioned that the SEC’s Office of Legislative and Intergovernmental Affairs had arranged a briefing on January 17 to address the questions raised by the lawmakers’ letter.
Request for Investigation
In a separate letter, Senators Ron Wyden and Cynthia Lummis urged the SEC to initiate an investigation into multi-factor authentication and phishing-resistant hardware tokens. They also called for the SEC to identify and close any security gaps. While the senators’ letter stipulated a response deadline of February 12, Gensler’s letter did not elaborate on their request, and no further updates have been reported.
Gensler revealed in his letter that law enforcement agencies are currently investigating how the attacker orchestrated the SIM swap attack. They are particularly focused on understanding the process by which the attacker persuaded the carrier service to change the SIM associated with the SEC’s X account. Additionally, authorities are working to determine how the attacker identified the phone number associated with the SEC’s account.
Unlike previous statements issued by Chair Gensler, his letter to lawmakers was not public and had received little attention until recently. Dated February 6, the letter was only made public on February 8 through Politico. However, various sources have now widely reported on the contents of the letter, bringing attention to the incident and the SEC’s response.
The breach of the SEC’s X account highlights the ongoing challenge of securing sensitive information and protecting against cyber threats. Chair Gary Gensler’s response to lawmakers demonstrates the SEC’s commitment to addressing the breach promptly and thoroughly. As investigations continue, it remains crucial for regulatory agencies to prioritize cybersecurity measures and collaborate with relevant stakeholders to mitigate future incidents.
Leave a Reply