Twitter data breach: Silence that could cost you dearly

Since Elon Musk bought Twitter in late October, the company has continued to cause disruption and controversy, whether it was mass layoffs and resignations or reputational damage from the billionaire’s reckless and often outlandish tweets. Now, growing concern over a possible data breach caused by Twitter’s patched default is poised to drag the company down unless Twitter moves fast.

As European regulators begin investigating what appears to be a massive Twitter data breach, the social network and its CEO have been tight-lipped about the true scale of the incident. If Twitter doesn’t take the lead, tell regulators the facts and tell users how much public and private information is being exposed, the company could face serious financial consequences, experts say.

Return to timeline of events

Like dark web platforms, the framework surrounding Twitter’s data breach is murky. The nightmare began in July when the actor known as “The Devil” put his database of phone numbers and email addresses from 5.4 million Twitter accounts up for sale on a hacked data forum. Devil demanded a $30,000 payment for this information and claimed to have stolen it through a loophole disclosed on Twitter on January 1, 2022. The firm fixed this flaw on January 13, 2022. This affected Android users and allowed anyone without authentication. Get a Twitter ID for any user by providing a phone number or email address, even if the user prohibits this action in their privacy setting. About a month after the release of the devil, Twitter confirmed said a malicious actor exploited the vulnerability and will send notifications to account holders affected by the breach.

The data containing the data of all 5.4 million users was released for free on November 27, 2022. However, another database allegedly containing details of 17 million users was leaked privately in November. In late December, Alon Gal, co-founder and CTO of Hudson Rock, an Israeli cybercrime intelligence firm, saw a post on a crime forum about a data breach in which a user named “Ryushi” offered to sell emails. Emails and phone numbers of 400 million Twitter users. After processing, Alon Gal said that the first figure of 400 million users is duplicates. However, the violation remains one of the “biggest” violations he has ever seen.

says Troy Hunt, who runs data breach reporting site HaveIBeenPwned Found 211.5 million unique email addresses in a leaked database. Another threat actor may have posted a dataset of 200 million Twitter profiles on the hacker forum Breached for eight credit forum currencies worth about $2.

Hackers have taken over the Twitter accounts of celebrities and public figures

During the New Year holidays and shortly after the New Year, the Twitter accounts of prominent figures in the UK, India and Australia were hacked. Among the hacked profiles are those of TV commentator Piers Morgan, UK Education Secretary Gillian Keegan, Northern Ireland Secretary Chris Heaton-Harris, singer Ed Sheeran and Indian TV star Salman Khan.

Although these hacks have nothing to do with the sample files Ryushi posted, Alon Gal believes they are related. “This is probably no coincidence: revealing an email address could be just what a hacker needs to find passwords for an account or perform social engineering in their own way,” Alon Gal tweeted.

Experts say that Twitter should shed some light on this issue

As conflicting reports about the Twitter hack continue to mount, cybersecurity experts are urging Musk to clear up the confusion. Brian Krebs, cybersecurity journalist, he said in his tweet “Hey @elonmusk, since you no longer have a media/comms team, can you respond to the seemingly legitimate claim that someone has collected data from hundreds of millions of Twitter accounts and is now selling it? Maybe it didn’t happen on your watch, but you owe it to Twitter to respond Alon Gal said: “Twitter didn’t acknowledge this breach and that’s a shame. They need to acknowledge this as soon as possible so that users are aware of the risks they now face. I urge Twitter users to change their passwords and avoid phishing attempts, and I urge Twitter to respond to this breach.” I ask you to confess as soon as possible.”

Douglas J. McNamara, a partner in Cohen Milstein’s consumer protection department, tells ASC that he believes Twitter is “busy and looking at some of these issues.” But they may not do it openly and may not want to share it with everyone. But when it comes to the law in the U.S., it’s “a little murky,” says Douglas J. McNamara, given the differences in state laws on breach notices. “We need to see who’s in there, what the PII is [informations personnelles identifiables]. Is this the type of IPR that will trigger a reporting obligation? [en vertu de l’analyse typique du risque de préjudice exigée par les lois étatiques sur la notification des violations de données] ? »

Also, at this point, “whether these are two different violations, or whether someone used scripts to extract this information and add it to what was already there by mixing it up, or whether someone bought different things from the dark web and put them together. It’s just not clear,” Douglas J . McNamara says. “To say it’s murky is an understatement.” But he adds that from a good corporate governance perspective, Twitter would be better off if it were transparent. then they could ease their concerns.” It doesn’t matter if the data breach predates Musk’s ownership of Twitter, he still has to deal with it responsibly. “He bought the company. He bought the responsibility,” he adds.

European regulators on board

Even if Twitter consoles itself, a data breach is currently unlikely under US state law, and European regulations could hurt it the most. The European CNILs have broader factors to analyze to determine whether and to what extent Twitter is liable for the infringement. On 23 December 2022, before it was known that the data of hundreds of millions of Twitter users might have been exposed, the Irish Data Protection Commission (DPC) launched an investigation into the initial incident involving 5.4 million Twitter users. The DPC said Twitter had provided several answers to its questions and believed the company may have missed one or more provisions of the EU’s General Data Protection Regulation (GDPR).

Amy Worley, Managing Director and Associate General Counsel at Berkeley Research, tells CSO, “GDPR has very strict data breach notification requirements. It also has a very broad definition of what constitutes a data breach. It is therefore broader than most American statutes.” Amy Worley clarifies that “GDPR is not limited to economic damages as interpreted by American law. Thus, privacy is a fundamental right in the EU and it is linked to the rights and freedoms of data subjects.” Under European data protection rules, companies have 72 hours to report data breaches and must report significant changes in their estimates of the number of users affected. “If they think a business is simply ignoring or breaking the law, then the business can get in trouble for it,” says Amy Worley. GDPR fines can reach 4% of a company’s worldwide turnover, although such fines are rare.

“It’s not just about economic damage”

Perhaps more worrying for Twitter is that if evidence of gross misconduct emerges, the European Union could effectively force it to cease operations in Europe. “The EU can also remove the ability to process the data of European residents,” Amy Worley continues, adding: “They also have the ability to stop international data transfers over the internet. And [l’UE] It has the ability to say “You are not authorized to process the personal data of European residents”.

His advice to Twitter, or any organization in a similar situation, is: “Find out what’s going on as soon as possible. Then really pay attention to this analysis. Is the impact on the data subject’s rights and freedoms reasonable? Understand that the EU interprets this in its entirety. This is not only economic damage.”