Gary Gensler, chairman of the U.S. Securities and Exchange Commission (SEC), has responded to lawmakers regarding a breach of the SEC’s X account.
On January 9, an unknown actor conducted a SIM swap attack on the SEC’s X account and then published a fake message stating that the SEC had approved several spot Bitcoin ETFs. Although the SEC finally approved these funds on January 10, the initial message was not authentic.
Gensler said in a letter to lawmakers:
“I assure you that the SEC takes its cybersecurity obligations seriously. I understand that the SEC’s Office of Legislative and Intergovernmental Affairs hosted a briefing for your staff on January 17 regarding the X incident that addressed the questions raised in your letter.”
Gensler’s letter is addressed to House of Representatives members Patrick McHenry, Bill Huizenga, French Hill and Ann Wagner. In addition to their individual comments, these House members wrote a letter on January 10 asking the SEC to adhere to the security disclosure standards it imposes on companies.
The members of the House of Representatives asked the SEC to respond to their request by January 17 – a deadline the SEC apparently met, as Gensler reported a briefing on that date.
In a separate letter dated January 11, Senators Ron Wyden and Cynthia Lummis asked the SEC to launch an investigation into multi-factor authentication and phishing-resistant hardware tokens (or security keys) and close any security holes. Although an update on this matter was due today, February 12, the latest letter does not address Senators and no other response has been reported.
Gensler says the investigation is ongoing
In the remainder of his letter, Gensler described a previously known attack timeline and provided an update on investigations. He said law enforcement is currently investigating how the attacker got the carrier to change the SIM card linked to the SEC’s X account, and how the attacker identified the phone number linked to the SEC account.
Gensler was the first to confirm that the SEC’s X account had been hacked on January 9. On January 12, he released a full statement about the incident.
Unlike those previous statements, Gensler’s letter to lawmakers is not public and has gone largely unnoticed until now. The letter is dated February 6 and was published by Politico on February 8. Several sources circulated today reporting more broadly on the letter.