You may take it for granted that your organisation has cybersecurity systems and processes in place, but have you checked them recently to make sure everything is up to date? Because even the most diligent businesses and organisations – including government agencies – can be caught out, as a recent cybersecurity lapse at the US Securities and Exchange Commission (SEC) shows us
What happened with the SEC?
The SEC recently announced on X (previously Twitter) that it had approved exchange-traded funds (ETFs) for Bitcoin, which caused them to spike in value. Except, it wasn’t the SEC that wrote the tweet. Instead, a hacker had managed to access the SEC’s X account. After withdrawing the fraudulent post, the SEC did later confirm they approved these ETFs but at this point the price had fallen.
How did the hackers access the account?
The main reason hackers were able to gain access to the SEC’s Twitter account was that multifactor authentication (MFA) had been disabled six months before. According to the SEC, “While MFA had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account.” This allowed the fraudster to convince a mobile operator to transfer an SEC employee’s phone number – the one linked to the X account – to a new SIM card, without having to further verify they were authorised to do so. Had MFA been active, it would have been much harder to hack.
In this case, the hack and subsequent fallout caused only minor damage – to the ETF price and to the reputation of the SEC – but it could have been much worse. As a result, it’s a good idea to ensure MFA is active for all official business accounts, not just social media accounts. And rather than relying on MFA through text message (which a hacker might also have access to if they have a person’s phone) it’s better to get a dedicated app for verification.