Senior Associate, Simon Ridding, examines the lessons to be learned from Twitter’s latest hacking scandal in Law360.
Simon’s article was published in Law360, 16 February 2023, and can be found here.
You don’t have to be a social media giant to face serious business risks from data breaches and cybercrime. Yet the bigger they are, the harder they fall. A series of recently reported data breaches at major tech giants offer lessons for companies of all sizes, across all business sectors.
These incidents demonstrate that even the most sophisticated tech companies can be vulnerable to major cybercrime and data protection breaches and the regulatory and litigation risks which inevitably eventuate. These cases show that it is vitally important for all corporates to adhere strictly to best practices in terms of their data protection and IT security arrangements. This includes robust technical measures, but also non-technical measures such as proper processes and procedures which mitigate risk and adequate training for staff.
Towards the end of 2022, news broke of another potentially seismic data breach at Twitter. Reports emerged that the personal data of perhaps hundreds of millions of Twitter users had been breached. A hacker named, “Ryushi”, who claimed to have obtained the data, was demanding US$200,000 to hand it over and delete entries.
As with many tech giants, Twitter’s European headquarters is in Dublin. This meant that Ireland’s Data Protection Commission (DPC) is the competent EU data protection authority to investigate the matter. The Irish DPC said it would “examine Twitter’s compliance with data-protection law in relation to that security issue”.
In the wake of the reported breach, cyber-crime intelligence company Hudson Rock told the BBC that the data appeared to go beyond an earlier reported breach of over 5 million Twitter accounts. Suggestions emerged that the same vulnerability which caused the earlier smaller breach was not adequately fixed and that the door was essentially left open for this second, much larger hack. Twitter was quick to deny that its systems were at fault.
The DPC said that, “Reports have claimed that some additional datasets have now been offered for sale on the dark web … The DPC has engaged with Twitter in this inquiry and will examine Twitter’s compliance with data-protection law in relation to that security issue.”
This latest data protection investigation of a social media giant comes hot on the heels of Meta – formerly Facebook – being fined €265 million after the data of an incredible 533 million Facebook users was leaked. The sheer number of individuals affected is hard to imagine, with over half a billion people being impacted. The potential for losses to scale up is truly remarkable in such cases, especially where liability for damages can be established.
The enormous scale of today’s social media giants is such that when a leak occurs, it can affect not merely millions – but potentially billions – of individuals in multiple jurisdictions across the globe. Where a company is at fault in some way for the data breach, a leak may result in multiple large fines and complex group litigation actions, alongside substantial reputational damage. Now that over 2 billion people are on Facebook – around a quarter of the Earth’s population – losses have the potential to be truly planetary in scale.
The ever growing scale of such platforms should also remind all businesses that where data is breached and then shared on social media, it can become instantly accessible to billions of people. Companies should ideally have robust social media policies, which forbid using personal social media accounts for work purposes, and which forbid employees from speaking about their work or clients on social media, unless specifically approved to do so.
We must await the investigation of the DPC and other data protection authorities before we know all the facts around the latest reported data breach at Twitter. The company denies that it is at fault in any way. In its first statement on the matter, Twitter said that “there is no evidence” that emails alleged to be linked to millions of its users’ accounts were obtained through hacking, as result of a flaw in its systems. However, there are suggestions that there may have been a flaw in Twitter’s systems. 
Twitter has also more recently stated that the leaked “dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.” The company further stated that, “The data is likely a collection of data already publicly available online through different sources.”
Whatever the outcome of the DPC investigation into the recently alleged Twitter data breaches, it is clear that any data breaches of personal information can have the potential to pose a genuine security risk for some users. For example, where an IT security flaw exists, if a state actor or nefarious organisation wants to ascertain the location, habits and personal information of someone, and only had their email address or telephone number, they could simply exploit the vulnerability to locate their Twitter profile.
Some people may use encrypted email, such as Hushmail, for a variety of reasons. Anonymity can be essential for dissidents under authoritarian regimes and whistle-blowers who are exposing wrongdoing. In theory, and based upon what Twitter has said, it would be possible for a criminal to exploit the vulnerability to defeat a person’s attempts at remaining anonymous. However, if their email address can be used to identify their Twitter account, even if it is anonymised or operating under a pseudonym, that can create real-world risk to a vulnerable individual by identifying their location and activities, and exposing them to harassment.
It is, of course, beyond the knowledge of most ordinary people to be able to exploit such vulnerabilities in code. Most people, even if informed about such data security risks, might not understand the potential risks that can eventuate. Yet it can often be the case that many malign actors can take advantage of such vulnerabilities, even in a short period before the code can be modified. State actors and hacking collectives are often chief amongst the beneficiaries of such flaws, as they are constantly probing for system vulnerabilities.
This illustrates the vital importance of simple data security measures such as updating software regularly, and ideally automatically. Systems which are not updated remain vulnerable long after news has spread to other hackers. This applies not just to a company’s major systems, but also to phones, laptops and all devices used for company business. Strictly enforced data protection policies should be deployed by all companies to ensure that all devices are updated. This is also why good data protection policies should prevent employees from using their own personal devices for work purposes. The business simply cannot control or monitor whether an individual employee has their laptop or phone properly updated and running antivirus software or firewalls.
Surprisingly, some have even suggested that Twitter left the vulnerability open for six months, which apparently resulted in millions of users’ data being leaked. Twitter denies any link to the leaked data, but were any company to leave such a vulnerability left open for several months, that of course enables it to be widely communicated around the hacking community and exploited by bad actors. Whenever a data security risk is identified, it is essential to act swiftly and robustly to address the issue.
The truth is that we cannot assume that our systems are secure. Backups are a simple but essential measure which can help mitigate the risks of ransomware attacks. This is where hackers lock a company’s systems and seek a ransom to provide the decryption key. There have been recent warnings of a wave of such attacks against targets in Europe and North America. Whether they are major corporations, insurers, banks or government departments, there have been repeated successful ransomware attacks on well-funded organisations with the latest data security measures in place time and time again. We have also seen, time and time again, the personal data of millions leaked online, often on the dark web.
The damage such vulnerabilities have caused people is probably unknown, and, in many cases, unlikely ever to be known. One thing is clear – that data protection should not be treated as a dull tick box exercise. It is essential for companies to actively engage with the reality of data security risk, and to put in place the right data protection measures for their business.