The SEC's Twitter Account Compromise: Lessons and the Threat of SIM Swap Attacks

CybersecuritySecurities and Exchange Commission
Written By Hosch & Morris

January 10, 2024

Privacy Plus+

Privacy, Technology and Perspective

This week as we start a new year of our blog, let’s kick off what must be one of the most shocking cybersecurity incidents that we can remember.

Incident Overview

On Tuesday, January 9, the U.S. Securities and Exchange Commission (SEC) experienced a significant cybersecurity incident when its official account on X (formerly Twitter) was compromised. An unauthorized tweet falsely claimed the SEC had approved Bitcoin exchange-traded funds (ETFs), leading to a dramatic fluctuation in Bitcoin's price, shaking the Bitcoin market to the tune of billions.  Minutes later, SEC chairman Gary Gensler revealed (in another post on X) that the SEC's X account had been compromised, making clear that the original post was unauthorized and clarifying that the SEC had not approved the listing and trading of spot Bitcoin ETFs. That news caused the price of Bitcoin to plummet. 

Since then, X has issued a statement regarding its investigation of the incident, making clear that the compromise was not due to breach of X’s systems, but instead due to the SEC’s failure to implement multi-factor authentication (MFA) and an unidentified individual gaining control over the phone number associated with the SEC's account through what appears to be  a SIM swap hack.

Key Lessons from the Incident

  • ·       Social Media's Market Influence: The unauthorized tweet caused immediate and significant market reactions, demonstrating the profound impact social media can have on financial markets. Disinformation, especially regarding significant financial decisions, can lead to rapid and substantial economic consequences​.

  • ·       Importance of Cybersecurity Measures: Often, we see social media delegated to organizations’ marketing teams, who may not be as diligent when it comes to cybersecurity. The compromise was a result of the SEC's social media account not having MFA enabled. This oversight facilitated the breach, emphasizing the critical need for robust security controls, including MFA, to safeguard sensitive information and accounts​.  Besides MFA, organizations should devote thought to access controls in and around their social media accounts, assuring that only authorized individuals have access, and that those individuals are savvy about cybersecurity and regularly trained.

  • ·       Rapid Response and Crisis Management: The SEC did one thing right by issuing a swift clarification from SEC Chair Gary Gensler to address the disinformation. However, it also highlighted the need for quick and effective crisis communication strategies to mitigate the repercussions of such incidents.

Addressing the Threat of SIM Swap Attacks

The breach of the SEC's account was attributed to a SIM swap attack, a type of fraud that involves transferring a victim’s phone number to a SIM card controlled by a criminal. Here's what you should know about SIM swap attacks:

Anatomy of a SIM Swap Attack: In a SIM swap scam, criminals gather personal information about the target, often through phishing or social engineering. They then contact the victim's phone carrier, impersonating the victim, and request a SIM swap. This transfers the victim's phone number to a new SIM card in the criminal's possession. Once this is done, the criminal receives all calls and texts intended for the victim, including one-time PINs and authentication texts, allowing them access to the victim's online accounts. Successful SIM swap attacks can lead to unauthorized access to high-value accounts, including financial and social media accounts. This can result in financial theft, identity theft, and loss of control over social media presence.

Preventive Measures:

  • •       Use authentication methods not reliant on phone numbers, like authentication apps or hardware tokens.

  • •       Add extra security measures to mobile accounts, such as unique passcodes.

  • •       Limit sharing personal information online that could be used by criminals in impersonation attempts.

  • •       Be cautious with mobile phone numbers, using different numbers for less secure or public interactions.

Our Thoughts:

“The great thing about irony is that it splits things apart, gets up above them so that we can see the flaws and hypocrisies and duplicates.”

- David Foster Wallace

This incident not only highlights the influence of social media on financial markets, but also underscores (in a most profound way) the vulnerabilities all organizations face in digital security.  Remember, the SEC’s new cybersecurity rules just took effect, and the SEC itself has identified cybersecurity as one of its priorities… 

This particular social media account compromise serves as a stark reminder of the far-reaching impact of social media and cybersecurity risk. It highlights the need for stringent cybersecurity measures, including awareness of SIM swap scams, and the importance of rapid response in crises. 

To read more about the incident and sim swap attacks, you can reference the following articles:

https://www.cnbc.com/2024/01/10/secs-compromised-account-was-not-due-to-breach-of-xs-systems-company-says.html

https://cointelegraph.com/news/sec-twitter-account-hacked-2fa-x-reveals 

https://about.att.com/pages/cyberaware/ni/blog/sim_swap

 

---

 

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet, and technology. Open the Future℠.

Hosch & Morris https://hoschmorris.com
Previous

FTC Cracks Down on Data Broker Sale of Sensitive Location Data
Next

Use of AI Facial Recognition by Rite Aid Banned by the FTC