The hack of a social media account used by the Securities and Exchange Commission is prompting both internal and external investigations into how the security breach occurred and whether anyone tried to profit from it, the commission and several legal experts said.
The SEC said in a statement Wednesday that it was coordinating an investigation into the hack that occurred the previous day “with appropriate law enforcement entities, including the SEC's Office of Inspector General and the FBI.”
John Reed Stark, a former SEC enforcement attorney and cybersecurity regulatory consultant, said the commission's inspector general would have to investigate how a hacker was able to access the SEC's official account on X (formerly Twitter) to post a false message that the commission had approved several Bitcoin investment products.
“This is, unfortunately, a blatant failure of basic cyber hygiene,” Stark said.
He also said federal prosecutors would likely open a separate investigation into whether the hack was part of an attempt to profit from changes in rising Bitcoin prices. Stark added that it didn't matter whether the hackers made money from trading during the roughly 15 minutes the post was online, but rather whether they had criminal intent to do so.
Daniel Hawke, a partner at law firm Arnold & Porter and former head of the SEC's market abuse unit, said the fake post had all the hallmarks of an attempt to “manipulate crypto markets.”
A Justice Department spokesman declined to comment. A spokesman for the SEC inspector general said: “We are currently evaluating the circumstances and reviewing the SEC's statements.”
In a Tuesday night post, X said that the hacker had used a phone number associated with the SEC account and that the government agency did not have the two-factor authentication security feature to prevent unauthorized access.
Last year, Elon Musk, owner of X, announced changes to the way users can implement two-factor authentication to protect access to their accounts. It's unclear how the SEC responded to those security changes.
This is not the first time the SEC has been hacked.
In 2017, the SEC revealed that hackers had breached the commission's Edgar filing system, the computer database that public companies and investment funds use to make regulatory filings and disclose to investors information that could affect the market.
The violation sparked a major police investigation; In 2019, federal prosecutors charged two Ukrainian citizens with hacking into the database and stealing classified information that they could trade or sell to others.
In September, the SEC inspector general's office issued a letter saying the commission had “moved forward toward implementing” government-wide cybersecurity standards but had not completed all required steps. The inspector general had asked the SEC about measures it had taken to protect “public systems that support multi-factor authentication.”
During Cybersecurity Awareness Month in October, SEC Chairman Gary Gensler posted about the importance of digital security. “This is a reminder to protect your financial accounts and against identity theft and fraud.” published in X on October 23.. It listed several steps, including “set up multi-factor authentication.”
In July, the SEC adopted a rule requiring public companies to promptly report cybersecurity incidents and annually disclose information about their cybersecurity risk management. In announcing the rule, Gensler said that “whether a company loses a factory in a fire (or millions of files in a cybersecurity incident) can matter to investors.”
X's fake post claiming that the SEC had approved several Bitcoin exchange funds allegedly came from Mr. Gensler and included his photograph. About 15 minutes after his appearance, Gensler said on his own X account that the post on the SEC account was an “unauthorized tweet.”
The scam initially caused the price of Bitcoin to rise before falling again.
Under Mr. Gensler, the SEC has used its X account to post messages and video presentations to the investing public.
David Yaffe Bellany contributed reports.
