The hack of a social media account used by the Securities and Exchange Commission is prompting both internal and external investigations into how the security breach occurred and whether anyone tried to profit from it, the commission and several legal experts said.
The SEC said in a statement Wednesday that it was coordinating its investigation into the hack that occurred the previous day “with the SEC’s Office of Inspector General and appropriate law enforcement entities, including the FBI.”
John Reed Stark, a former SEC enforcement attorney and regulatory adviser on cybersecurity, said the commission’s inspector general will need to investigate how a hacker was able to access the SEC’s official account on For posting a false message that the Commission had approved several Bitcoin investment products.
“Unfortunately, this is a gross failure of basic cyber-hygiene,” Mr Stark said.
He also said federal prosecutors would launch a separate investigation into whether the hack was part of an effort to profit from Bitcoin’s price spike. Mr Stark said it did not matter whether the hackers made any money from trading during the 15 minutes after the post went online, but what mattered was whether they had any criminal intent to do so.
Daniel Hawk, a partner at law firm Arnold & Porter and former director of the SEC’s Market Abuse Unit, said the fake post had all the hallmarks of an attempt to “manipulate crypto markets.”
A Justice Department spokesman declined to comment. A spokesperson for the SEC’s inspector general said, “We are currently evaluating the circumstances and reviewing the SEC’s statements.”
In a post on Tuesday night, X said that the hacker had used the phone number associated with the SEC account, and the government agency did not have “two-factor authentication” in place to prevent unauthorized access.
Last year, X boss Elon Musk announced changes to how users can deploy two-factor authentication to secure access to their accounts. It’s not clear whether the S.E.C. Responded to those security changes.
This is not the first time that the SEC has been hacked.
In 2017, the SEC disclosed that hackers had breached the commission’s EDGAR filing system – the computer database that public companies and investment funds use to make regulatory filings and disclose potentially market-changing information to investors.
The breach prompted a major law enforcement investigation; In 2019, federal prosecutors charged two Ukrainian citizens with hacking the database and stealing confidential information, which they could then either trade on or sell to others.
In September, the SEC Office of Inspector General issued a letter It found that the Commission “has made progress towards implementing” government cybersecurity standards but has not completed all the required steps. The inspector general had asked the SEC about steps it had taken to secure “public-facing systems that support multifactor authentication.”
During Cybersecurity Awareness Month, in October, SEC Chairman Gary Gensler posted about the importance of digital security. “This is a reminder to secure your financial accounts as well as protect against identity theft and fraud.” He posted on October 23rd, He listed several steps, including “setting up multifactor authentication.”
In July, the SEC adopted a rule requiring public companies to promptly report cybersecurity incidents and annually disclose information on their cybersecurity risk management. In announcement of rules, Mr. Gensler said that “Whether a company’s factory is destroyed in a fire – or millions of files are lost in a cyber security incident – it could be significant to investors.”
The fake About 15 minutes after it appeared, Mr. Gensler said on his own X account that the post on the SEC account was an “unauthorized tweet.”
This scam initially caused the price of Bitcoin to rise and then fall.
Under Mr. Gensler, the SEC has used its X account to post messages and video presentations to the investing public.
David Yaffe-Bellaney Contributed to the reporting.