The U.S. Securities and Exchange Commission (SEC) has taken action in response to a breach of its X account, involving a SIM swap attack. Gary Gensler, chair of the SEC, addressed lawmakers and assured them that the SEC is taking the matter seriously. This article provides an analysis of the SEC’s response and the measures being taken to investigate the attack.
The Breach and False Message
On January 9, an unidentified individual executed a SIM swap attack on the SEC’s X account, subsequently publishing a false message claiming that the SEC had approved several spot Bitcoin exchange-traded funds (ETFs). Although the SEC did approve those funds on January 10, the initial message was fraudulent. In his letter to lawmakers, Gensler acknowledged the breach and the briefing that took place on January 17 regarding the incident.
House members, including Patrick McHenry, Bill Huizenga, French Hill, and Ann Wagner, expressed their concerns to the SEC and requested the commission to maintain the same security disclosure standards it imposes on companies. The lawmakers urged the SEC to respond by January 17, which the SEC complied with by arranging the aforementioned briefing. Senators Ron Wyden and Cynthia Lummis also sent a letter to the SEC, calling for an investigation into multi-factor authentication and phishing-resistant hardware tokens. However, the SEC’s response did not address the senators, and no update has been reported regarding their request.
Gensler provided a detailed account of the attack timeline and updates on ongoing investigations in his letter. Law enforcement agencies are currently investigating how the attacker persuaded the carrier service to change the SIM associated with the SEC’s X account, as well as how they obtained the phone number linked to the account. Gensler was the first to confirm the compromise of the SEC’s X account on January 9, and he published a comprehensive statement on the incident three days later. Although the letter to lawmakers, dated February 6, did not gain attention until recently, several sources have now reported on its contents.
The breach of the SEC’s X account through a SIM swap attack highlights the vulnerability of even well-established institutions to cyber threats. The SEC’s response indicates its commitment to addressing the security concerns raised by lawmakers and the public. As investigations continue, it is crucial for the SEC to bolster its cybersecurity measures to prevent future breaches and maintain the trust of the companies and investors it oversees.
Leave a Reply