Ireland’s data protection regulator (DPC) takes on Twitter and is investigating a possible data breach in the summer. Affected: 5.5 million user accounts.
Ireland’s Data Protection Commission (DPC) has launched an investigation into a privacy incident at Twitter this summer, which the company is believed to have breached the General Data Protection Regulation (GDPR). It is about 5.5 million Twitter user accounts that a cybercriminal got hold of through a security hole in Twitter’s registration process (so-called scraping) and offered for sale in July. The hacking platform where the offer appeared confirmed the authenticity of the presented data ‘sample’.
The vulnerability may have been exploited multiple times
The leaked data contained Twitter user IDs to which email addresses and telephone numbers of the users were assigned, i.e. personal data. Several media reported about it. The DPC took these reports as an opportunity to start an investigation under Section 110 of the Data Protection Act on its own initiative. Twitter itself dutifully reported the incident to the DPC as a possible GDPR violation; the authority then exchanged information with the company and writes the DPC in its communication.
Twitter had cited a security hole in its software as the cause of the data leak. This gap was known on January 1, 2022, and closed by Twitter 5 days later. Apparently, that was enough for an unknown actor to gain access to around 5.5 million user accounts. The DPC has sent Twitter questions about the incident, has already received replies, and now concludes that Twitter may have breached the GDPR on one or more counts.
The investigation that has now been initiated is intended to clarify the extent to which a data protection violation has occurred and how it should be punished. But apart from that, Twitter is threatened with further trouble from the same gap in January – and on a completely different scale: As it became known on Christmas Day, data from around 400 million Twitter user accounts was probably copied in the same way and recently offered for sale. A violation of this magnitude can be very expensive: The DPC only imposed a fine of 265 million euros on the Meta group in November of this year. The reason for this was the scraping of around 533 million user data records on Facebook.
TechAint 