American legislators demanded an investigation last week into the hack of the X (SEC) of the Securities and Exchange Commission (SEC) (formerly Twitter).
Senators Ron Wyden, who participates in the Senate Committee, and Cynthia Lummis, accused the federal agency of their social media accounts not to protect his social media accounts using the best practices of the industry in a letter of 11 January 2024.
On January 10, Hackers joined the X account and placed a fake announcement with regard to the approval of Bitcoin exchange-exchange funds (ETFs) on security fairs, which led to bitcoin prices that briefly peaked.
The @Secgov X -account was compromised and an unauthorized message was posted. The SEC has not approved the offer and trade of Spot Bitcoin exchange products.
– US Securities and Exchange Commission (@secgov) January 9, 2024
X’s safety team later said The acquisition was due to the hijacking of a telephone number that is linked to the @Secgov account in a SIM swapping attack. X also noted that the sec account account had not engaged two-factor authentication (2FA) when the account was hacked.
This attack came in the midst of a wave of crypto-related X account caps that are aimed at prominent companies, including Mandiant, Hyundai and Certik.
Destabilizing impact on the financial system
Wyden and Lummis wrote that given the potential for market manipulation by such hacks, the failure of the SEC to follow best practices of cyber security, as 2FA was “unforgivable”.
They argued that the SEC security keys should have been used to secure their social media accounts and 2FA, after recent guidelines from the Office of Management and Budget (OMB) and the CyberSecurity and Infrastructure Security Agency (CISA).
The option to switch on security keys is available for users of X since 2021.
The senators said: “A hack that results in the publication of material information for investors could have significant consequences for the stability of the financial system and confidence in public markets, including potential market manipulation.
“We recommend that you investigate the practices of the agency with regard to the use of MFA, and in particular phishing-resistant MFA, to identify remaining security lacunes to be tackled.”
The SEC, which introduced new rules in 2023 that is mandatory that publicly listed companies that are active in the US will announce ‘material’ cyber incidents within four days, has been criticized for poor cyber security practices in recent years in recent years, the letter noted.
This includes an independent evaluation in FY23 that established that the information security program and the practices of the SEC were not effective.
Wyden and Lummis gave the SEC a deadline of 12 February to give an update to their research and the cyber security remediations.