Wyden, Lummis call for investigation into SEC X account hack

A bipartisan Senate duo is calling for the inspector general of the Securities and Exchange Commission (SEC) to open an investigation into the recent hack of the agency’s account on X, formerly known as Twitter.

Sens. Ron Wyden (D-Ore.) and Cynthia Lummis (R-Wyo.) urged SEC Inspector General Deborah Jeffrey in a letter on Thursday to open a probe into the “SEC’s apparent failure to follow cybersecurity best practices.” The letter was first reported by Axios on Friday.

Wyden serves as the chair of the Senate Finance Committee, while Lummis is a member of the Senate Banking, Housing, and Urban Affairs Committee, which oversees the SEC.

The SEC revealed Tuesday that its X account had been hacked, after it appeared to announce the approval of several bitcoin investment funds. The false announcement came as the cryptocurrency industry eagerly awaited the agency’s decision on nearly a dozen such funds.

The original post was online for about 30 minutes before it was deleted and replaced with the SEC’s disavowal. However, the confusion created by the hack caused the price of bitcoin to spike to nearly $48,000, before tumbling to less than $46,000 on Tuesday evening.

“The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products,” the agency wrote in a Tuesday afternoon post.

Despite the false start, the SEC ultimately approved the 11 exchange-traded funds (ETFs) holding bitcoin on Wednesday, marking the first time the agency has permitted the trading of funds directly invested in crypto assets.

X said Wednesday that a “preliminary investigation” of the breach found that it was “not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number” associated with the SEC’s account. 

The social media company also said the agency did not have two-factor authentication enabled at the time of the hack.

“Given the obvious potential for market manipulation, if X’s statement is correct, the SEC’s social media accounts should have been secured using industry best practices,” Wyden and Lummis said in Thursday’s letter. 

The senators suggested the SEC should have been using multifactor authentication and employing phishing-resistant hardware tokens known as security keys.

Security keys have been required for agency-hosted systems since January 2022, Wyden and Lummis noted. While not mandated for agency social media accounts, they suggested that the “guidance is clear” that such measures are necessary to protect against online attacks.

“The SEC’s failure to follow cybersecurity best practices is inexcusable, particularly given the agency’s new requirements for cybersecurity disclosure,” the senators wrote, referencing a new rule mandating companies disclose cybersecurity incidents within four business days.

“Additionally, a hack resulting in the publication of material information for investors could have significant impacts on the stability of the financial system and trust in public markets, including potential market manipulation,” Wyden and Lummis added.

The bipartisan push for an investigation into the hack comes after several Republican members of the House Financial Services Committee demanded Wednesday that SEC Chair Gary Gensler provide a briefing on the incident.

The group, which included House Financial Services Chair Patrick McHenry (R-N.C.), said the revelation that the SEC account did not have two-factor authentication enabled was “unacceptable.”

“Given yesterday’s tweet, we expect the SEC to hold itself to the same requirements that are imposed on companies throughout the country,” they wrote in Wednesday’s letter. “All market participants deserve transparency from you and your agency.”