Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
The X post on the Securities and Exchange Commission’s official account claiming, falsely, that it had approved US spot bitcoin exchange traded funds on Tuesday appears to have been the result of exactly the type of hack the regulator has spent years warning companies to prevent.
The post was shared widely on social media as well as Bloomberg TV and business news websites, until SEC chair Gary Gensler posted on his own X account 10 minutes later saying the regulator’s account had been “compromised” and no approvals had been granted.
The mishap is a high-profile black eye for Gensler, who has made cyber security a pillar of his agenda, adopting tougher rules to broaden disclosures of businesses’ cyber incidents and punishing companies for misleading investors about their cyber security practices.
The SEC said the unauthorised access to its account had been terminated. It is working with agencies including the FBI, to examine the incident.
In a post late on Tuesday, X, formerly known as Twitter, said the “compromise” was caused by an “unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party”. X went further and disclosed that the SEC’s account lacked two-factor authentication. “We encourage all users to enable this extra layer of security,” it added.
By cyber security standards, a compromised X account is far less serious than a breach targeting the regulator itself, such as the hack of the SEC’s corporate filing system in 2016 that allegedly allowed traders to pocket at least $4.1mn in illegal profits.
“In the end, it’s just an embarrassment,” said Bruce Schneier, Harvard lecturer and security technologist. “In the greater scheme of things, no harm done.”
Nevertheless, “this is kindergarten stuff”, he added. “This is not a subtle security decision, we have to make a committee and purchase a product and decide to deploy it. This is setting a two-factor authentication on your Twitter account.”
Chris Pierson, chief executive of cyber security group BlackCloak, said that it was not uncommon for organisational accounts to operate without two-factor identification because setting up an authentication system for an account used by multiple people was more complicated.
X’s disclosure of the SEC’s failure to implement two-factor authentication surprised some analysts. But Pierson said it made sense in light of the commission’s tough new cyber security rules that require disclosure of any material cyber security event within four days.
“X didn’t have to do it, but they likely took the extra step because of the SEC’s focus on cyber security rules,” he said. “The SEC spent all of 2023 banging the drums on cyber security.”
X is controlled by Elon Musk, who has been a vocal and longtime critic of the SEC. In 2018, he agreed a settlement with the agency after being charged with securities fraud linked to a post on Twitter saying he was “considering taking Tesla private at $420. Funding secured.” Musk subsequently bought Twitter, took it private and renamed it X.
The SEC separately sued Musk in October to compel him to testify as part of a probe by the agency into his 2022 purchase of Twitter, a subpoena he has been fighting in court.
For the SEC, the hack came just as the financial world’s sights were fixed on the regulator just hours before a highly anticipated deadline on whether to approve some of the at least 11 applications submitted by asset managers seeking to launch spot bitcoin ETFs.
In the minutes after the fake post, bitcoin rose to be 1.5 per cent higher on the day but swiftly reversed once the post was debunked. The price then dropped as much as 3.4 per cent before rebounding a bit.
Lawmakers in Washington have called for an investigation into what happened. Bill Hagerty, the Republican senator from Tennessee who has criticised the SEC’s tougher enforcement stance on crypto, called the incident “unacceptable” in an X post.
“Just like the SEC would demand accountability from a public company if they made such a colossal market-moving mistake, Congress needs answers on what just happened,” he added.
Sherrod Brown, the Democratic chair of the US Senate banking committee, which oversees the SEC, told the Financial Times in a statement he was “concerned” that the incident “could undermine our markets and the agency’s mission”. Cynthia Lummis, the Republican senator from Wyoming and crypto proponent, said in an X post on Tuesday that “we need transparency on what happened”.
The motive and nature of the hack remain unclear. It “could be ‘ha ha wasn’t that funny’ or ‘I made a bunch of investments and now I’m going to cash in on them’,” said Schneier, the Harvard lecturer and security technologist.
James Elbaor, head of Marlton, a Chicago-based hedge fund that is active in the bitcoin market and other markets, said they had seen no “strange market movement that would have benefited from the hack”.
“I just think it was someone who should have known better, but not someone trying to make money,” he said. “Not that nefarious.”
Additional reporting by Stephen Gandel and Hannah Murphy