Faced with the publication of several million data from its subscribers, Twitter did not react. However, the company is obliged to warn regulators, especially in Europe. The latter will carry out investigations with a key to a fine that can be raised.
Since Elon Musk bought Twitter at the end of October, the company has continued to be disrupted and cause controversy, be it massive layoffs and employee resignations or reputational damage due to the billionaire’s reckless and often outlandish tweets. Now, growing concern over a possible data breach resulting from Twitter’s patched default is poised to drag the company down unless Twitter takes swift action.
As European regulators begin investigating what appears to be a massive Twitter data breach, the social network and its CEO have made no public comment on the true extent of the incident. Experts say if Twitter doesn’t take the lead, tell regulators the truth, and tell users how much public and private information has been exposed, the company could suffer serious financial consequences. and operations.
Return to the timeline of events
Like dark web platforms, the framework surrounding Twitter’s data breach is murky. The nightmare began in July when an actor known as “The Devil” sold, on a hacked data forum, a database of phone numbers and email addresses belonging to 5.4 million Twitter accounts. Devil demanded a payment of $30,000 for this data and said he stole it through a vulnerability disclosed on Twitter on January 1, 2022. The firm fixed the flaw on January 13, 2022. It affected Android users and gave anyone , without authentication, to obtain a Twitter ID for any user by submitting a phone number or email address, even if the user has prohibited this action in the privacy setting. About a month after Devil’s release, Twitter confirmed that a malicious actor exploited the vulnerability and said it would send notifications to account owners affected by the breach.
The data containing the data of all 5.4 million users was released for free on November 27, 2022. However, another database said to contain the details of 17 million users also circulated privately in November. Then, in late December, Alon Gal, co-founder and chief technical officer of Israeli cybercrime intelligence firm Hudson Rock, saw a post on a criminal forum about data breaches from a user called “Ryushi” offering to sell e-mails. – emails and phone numbers of 400 million Twitter users. After processing, Alon Gal said the original number of 400 million users included duplicates. However, the breach remains one of the “biggest” he has ever seen.
Troy Hunt, who runs data breach reporting site HaveIBeenPwned, says he has found 211.5 million unique email addresses in the leaked database. Another threat actor may have posted a dataset of 200 million Twitter profiles on the Breached hacking forum for eight credits of the forum currency, worth about $2.
Hackers take over the Twitter accounts of celebrities and public figures
Over the New Year holidays and shortly after the New Year, the Twitter accounts of high-profile celebrities in the UK, India and Australia were hacked. Among the hacked profiles are TV commentators Piers Morgan, UK Education Secretary Gillian Keegan, Northern Ireland Secretary Chris Heaton-Harris, singer Ed Sheeran and Indian TV star Salman Khan .
While these hacks may have nothing to do with the sample files Ryushi posted, Alon Gal believes they are related. “It’s probably not a coincidence: revealing the email address could be just what the hacker needs to generate passwords for the account, or to do some social engineering on their own,” Alon Gal said in a tweet .
Experts say Twitter needs to shed some light on the case
As conflicting reports of Twitter intrusion continue to mount, cybersecurity experts are calling on Musk to clear up the confusion. Brian Krebs, cybersecurity journalist, said in a tweet “Hey, @elonmusk, since you don’t seem to have a media/comms team anymore, can you respond to the seemingly legitimate claim that someone harvested and is now selling data from hundreds of millions of Twitter accounts? Maybe this didn’t happen in your watch, but you owe me a response on Twitter.” Alon Gal said: “Twitter did not acknowledge this breach, and that’s a shame. They should acknowledge it as soon as possible, so that users are alerted to the risks they face now. I urge users of Twitter to change their passwords and beware of phishing attempts, and ask Twitter to acknowledge this breach as soon as possible.”
Douglas J. McNamara, a partner in Cohen Milstein’s consumer protection department, tells the OSC that he assumes Twitter is “engaging and looking into some of these issues.” But they may not do it publicly, and they may not want to share that with everyone.” But when it comes to the law in the United States, “it’s a little bit fuzzy,” says Douglas J. McNamara, because of differences in laws. of the state about breach notifications. “We would have to see who’s in there, what’s the PII [informations personnelles identifiables]. Is this the type of IPR that would trigger a reporting obligation [en vertu de l’analyse typique du risque de préjudice exigée par les lois étatiques sur la notification des violations de données] ? »
Also, at this point, “it’s not really clear if these are two different violations, or if someone used scripts to take this information and add it to what’s already there by mixing it up or if someone bought something else different things from the dark web and put them together. It’s just not clear,” said Douglas J. McNamara. “To say it’s unclear is an understatement.” But he added that, from a good perspective on corporate governance, Twitter is in a better position if it’s transparent. “If I care about my customers, the first thing I’ll do is check if it’s legit or not, and then ease their concerns .” It doesn’t matter that the data breach predates Musk’s tenure as owner of Twitter, he still needs to deal with it responsibly. “He bought the company. He bought responsibility,” he added.
European regulators on deck
Even though Twitter has cleared itself that the data breach is currently elusive under US state laws, European regulations could do it the most damage. The European CNILs have a wider range of factors to examine in determining whether and to what extent Twitter is liable for infringement. On December 23, 2022, before it was known that the data of hundreds of millions of Twitter users may have been exposed, the Irish Data Protection Commission (DPC) launched an investigation into the initial incident involving 5.4 million Twitter users. The DPC said Twitter provided multiple answers to its questions and believed the company may have overlooked one or more provisions of the EU’s General Data Protection Regulation (GDPR).
Amy Worley, Managing Director and Associate General Counsel at Berkeley Research, told CSO that “GDPR has very strict data breach notification requirements. It also has a very broad definition of what a data breach is. Therefore it is broader than what exists in most American laws”. Amy Worley clarified that “GDPR is not limited to economic damages as defined by American laws. Thus, privacy is a fundamental right in the EU, and it is linked to the rights and freedoms of data subjects.” Under European data protection regulations, companies have 72 hours to notify a data breach and must report significant changes in their estimates of the number of affected users. “If they think a business is ignoring or simply ignoring the law, that business is probably going to get in trouble for that,” Amy Worley said. GDPR fines can amount to up to 4% of a company’s global turnover, although this level of fine is rare.
“It’s not just about economic damage”
More worrying for Twitter is that the European Union could force it to effectively shut down operations in Europe if evidence of a serious breach emerges. “The EU can also withdraw their ability to process data from European residents,” continued Amy Worley, adding: “They also have the ability to stop international data transfers over the internet. And [l’UE] has the ability to say: “You do not have permission to process the personal data of European residents”.
His advice to Twitter or any organization in similar circumstances is: “Understand what happened as soon as possible. Then, really pay attention to this review. Is it reasonably likely to have an impact on the rights and freedoms of the data subject? Understand the full way the EU interprets it. It’s not just economic damage.”