In 2019, a breach at Twitter was revealed after a bug led to private tweets being made publicly available. The fault could have been in place since 2014. This page explains how the Twitter data breach happened.
In December 2020, Twitter was fined €450,000 by the Irish Data Protection Commissioner (DPC) for failing to promptly declare and properly document a data breach. This comes after a Twitter bug led to private tweets being made publicly available.
In total, we believe that at least 88,726 Twitter users in the EU are affected by this breach, and there is likely to be significantly more.
In the first major tech GDPR case, Twitter was fined €450,000 by the Irish Data Protection Commissioner (DPC) for privacy breaches. This was the first time a multinational tech firm had been held to account by the Irish regulator since GDPR was introduced. The penalty was issued as Twitter failed to promptly declare and properly document a data breach.
The Irish Data Protection Commissioner is the lead EU privacy supervisor for several tech giants.
While the regulator did not believe that the original violation was especially serious, it held the tech giant to account for lack of haste in notifying the DPC about it. Under GDPR, organisations are legally obligated to inform the relevant supervisory authority of most breaches of personal data within 72 hours. GDPR also requires organisations to document what data was involved in the breach, and how they responded to the security incident. Twitter failed on both counts.
While other European regulators disagreed with the scale of the fine, the DPC said the €450,000 penalty was an “effective, proportionate and dissuasive measure”.
Twitter blamed the reporting error on a staffing mix-up. In a statement, it said:
“An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying [the Irish Data Protection Commissioner] outside the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to them in a timely fashion,” a spokesperson for the tech company said. “We take full responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We’re sorry it happened.
Speaking about the Irish DPC’s decision, Kingsley Hayes, our Head of Data Breach, said:
“The fine could be game-changing when it comes to big tech and personal data. It demonstrates that the Regulator is not afraid to hold the likes of Twitter to account for breaches of data protection law- even if a breach is not thought to be hugely damaging to the data subjects. The considerable use of social media by prospective employers and recruiters for vetting candidates means that in reality users could have failed job applications without realising or knowing it. With other large tech companies such as Google and Facebook having large operations in Dublin, Twitter is unlikely to be the last of the big players to be made to pay the price for failing to uphold its data protection obligations.”
Users affected by the Twitter data breach:
Twitter said that it had “informed people we know were affected by this issue”. However, the bug could have been in place since 2014, and Twitter does not keep logs that far back. In addition, an announcement on the Twitter Help Centre said that it could not confirm every account that may have been impacted.
Towards the end of 2022, news broke of another potentially seismic data breach at Twitter. Reports emerged that the personal data of perhaps hundreds of millions of Twitter users had been breached. A hacker named, “Ryushi”, who claimed to have obtained the data, was demanding US$200,000 to hand it over and delete entries.