A breach of the Securities and Exchange Commission’s X account—falsely claiming the agency had approved a Bitcoin exchange-traded fund— occurred partly because the agency hadn’t enabled two-factor authentication as a security measure, according to X.
Federal agencies have been ordered by the federal government to beef up security, raising questions about why the SEC didn’t employ two-factor authentication for its X account.
Spokespeople for the Federal Deposit Insurance Corp. and the Federal Trade Commission told Barron’s the agencies have two-factor authentication enabled on their social media accounts. A Federal Reserve spokesperson declined to comment on two-factor authentication specifically, but said it has “robust protocols around the security of our social media accounts.”
The SEC didn’t respond to a request for comment. In statements given Tuesday, the regulator said it determined there was brief unauthorized access to its account by an unknown party shortly after 4 p.m. ET. That access was terminated, the SEC said.
In a separate statement on Wednesday, an SEC spokesperson said the agency is coordinating with law enforcement agencies including the Federal Bureau of Investigation and is continuing to investigate the breach.The spokesperson said the agency would “provide updates on the incident as appropriate.”
The incident occurred late Tuesday when an unknown individual used a phone number associated with the SEC’s X account to access the agency’s profile and publish a false announcement approving
Bitcoin
ETFs, according to a preliminary investigation conducted by X. The SEC’s account didn’t have two-factor authentication enabled when the account was compromised, according to a post by X’s Safety team on its platform Tuesday evening.
The federal government has struggled for years to ensure agencies and employees implement security protocols to prevent similar breaches.
In 2022, the Office of Management and Budget ordered all federal agencies to adopt stricter cybersecurity protections before October 2024 — including the adoption of multi-factor authentication for agency computer accounts.
The White House and other federal departments including the Treasury Department, Commodity Futures Trading Commission, Office of Management and Budget, and other agencies did not respond to requests for comment.
Last July, the White House hosted a symposium on multi-factor authentication technology, which adds cell-phone confirmation or biometrics to the traditional use of a text password. Industry experts joined the administration’s cybersecurity chiefs.
“How we prove who we are online is one of the cornerstones of providing a positive, intuitive, and trusted digital experience,” said Federal Chief Information Officer Clare Martorana, in a statement at the end of the day-long session.
Tuesday’s incident isn’t the first time bad actors have gotten access to the SEC’s systems or those of other government agencies and current or former government officials. In 2019, federal prosecutors brought charges against nine defendants for hacking into the contractors that process companies’ securities filings and extracting nonpublic information they could trade on. In 2020, hackers took control of the Twitter accounts of several targets, including Barack Obama and Joe Biden, to promote a Bitcoin scam.
In its post, X encouraged users to enable two-factor security and said the compromise wasn’t due to any breach of its systems. The individual obtained control over the phone number through a third party, X said.
Write to Joe Light at [email protected], Jack Denton at [email protected], and Bill Alpert at [email protected].
Read the full article here
