SEC’s IT shop inadvertently deleted a year’s worth of texts from ex-chair’s phone

Nearly a year’s worth of text messages were erased from the phone of a former Securities and Exchange Commission chair due to a series of missteps by the agency’s IT office, according to a new watchdog report.

In a review published Wednesday, the SEC’s Office of Inspector General detailed how text messages sent and received by Gary Gensler — who led the regulator during the Biden administration — from October 2022 to September 2023 were inadvertently wiped from his government-issued device.

The trouble began July 6, 2023, when Gensler’s phone lost its connection with the SEC’s mobile device management system, showing up as “inactive” while still operating normally. On Aug. 10, 2023, the agency’s Office of Information Technology launched a policy to remotely wipe any SEC-issued mobile devices that hadn’t linked with the device management system for 45 days or more.

“This new policy was based on the erroneous assumption that such devices were not in use, were potentially lost or stolen, and could no longer connect to the SEC’s network,” the OIG wrote.

When Gensler showed up for work on the morning of Sept. 6, 2023, and noticed that SEC apps were gone from his phone, he reached out to the Office of Information Technology, whose personnel “hastily performed a factory reset of the smartphone, which resulted in the permanent deletion of the device’s data, including nearly a year’s worth of text messages,” according to the watchdog.

Had OIT or Gensler known that his phone had been wiped due to the new policy, the messages could have been recovered, per the OIG, which dinged SEC IT for poor change management with regard to the wiping policy, not properly maintaining its mobile device inventory or identifying inactive devices, and not effectively reviewing and escalating relevant system-generated notifications, among other issues.

As part of an incident report that ended up costing the agency more than $50,000, OIT discovered that the SEC’s mobile device vendor “knew of a ‘bug’ in prior versions of its operating system that could break the connection between a mobile device and a mobile device management system,” a possible culprit of Gensler’s initial phone troubles.

“However, inadequacies in the report impacted its reliability and usefulness,” the OIG reported. “Furthermore, because OIT did not collect or maintain necessary log data, neither OIT, its contractor, nor we could determine why Gensler’s device stopped communicating with the SEC’s mobile device management system, which caused the device to appear inactive and led to the enterprise wipe.”

Since the SEC reported the incident to its inspector general, the agency disabled text messaging across the agency — with some exceptions — and alerted the National Archives and Records Administration of the change. Gensler’s unrecoverable text messages, OIG noted, could impact the regulator’s responses to some Freedom of Information Act requests.

A partial OIG review of Gensler’s missing text messages — pieced together via an OIT matching process of SMS messages from certain SEC and non-SEC-issued numbers to the former chair’s phone number — found that roughly 38% of those texts were “mission related and concerned matters directly involving SEC senior staff and/or Commissioners at the time, making them records.”

Some of those texts included conversations about an enforcement action against a crypto platform, a possible settlement with a global financial services firm, and the appointment of a new commissioner. 

“Although we cannot review the missing text messages to definitively determine their status as records,” the watchdog wrote, “we can surmise based on our review of the recovered text messages that many, if not most, would be records.”

The SEC concurred with all five of the OIG’s recommendations aimed at better mobile device management practices, pledging to complete the tasks within the next six months.