There are cybersecurity lessons to be learned from high profile data breaches and the ensuing regulatory responses. The recent well-publicized Twitter hack is no different. According to the New York State Department of Financial Services (“NYSDFS”) investigation and report, on July 15, 2020, a 17-year old hacker and his accomplices easily misled Twitter’s employees into disclosing their credentials resulting in a breach of Twitter’s network and the hackers’ takeover of accounts assigned to high-profile users in just a 24-hour period. The NYSDFS concluded that Twitter’s cybersecurity safeguards were inadequate, permitting the hackers to impersonate politicians, celebrities, entrepreneurs and several cryptocurrency companies by abusing their Twitter accounts to solicit bitcoin payments in a “double your bitcoin” scam. The top takeaways were that social media and consumer organizations should conduct comprehensive workforce cybersecurity training, have strong cybersecurity leadership that effectively manages account access and authentication and utilize a Security Incident Event Management (SIEM) solution to detect and respond to threats in real time. Notably, in light of its findings, the NYSDFS is now calling for the dedicated cybersecurity regulation of large social media companies akin to the NYSDFS cybersecurity regulation for financial services organizations because “[t]he risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions.”

The NYSDFS found that the hackers acted like garden variety fraudsters by duping Twitter employees into entering their credentials on a phishing website by pretending to be calling from the Help Desk of Twitter’s Information Technology department about recent issues with Twitter’s VPN. The employees were directed by the hackers to sign into a website, which looked identical to the Twitter VPN website and was hosted by a similar domain, but was in reality a phony website controlled by the hackers. As the employees entered their credentials in the phony website, the hackers simultaneously entered their credentials in Twitter’s real VPN website. The hackers gained account access after the false login generated a 2nd factor notification to the employees’ mobile phones to authenticate themselves, which some of the employees did. After gaining access to the network, the hackers successfully escalated their attack by targeting other Twitter employees who had a higher level of privilege with access to internal tools permitting the takeover of high profile user accounts.

The NYSDFS concluded: “The Twitter Hack is a cautionary tale about the extraordinary damage that can be caused even by unsophisticated cybercriminals. The Hackers’ success was due in large part to weaknesses in Twitter’s internal cybersecurity protocols.” The NYSDFS found that Twitter had no chief information security officer since December 2019, seven months before the Twitter hack. The report also found that the hackers directly exploited Twitter’s shift to remote working during the pandemic. According to the NYSDFS: “The ramp up to total remote working in March 2020 put a strain on Twitter’s technology infrastructure, and employees had frequent problems with the VPN connections to the network. The hackers took advantage of these issues and pretended to be calling from Twitter’s IT department about a VPN problem.” The hackers had researched Twitter’s organization learning basic functions and titles of Twitter employees, so they could more effectively impersonate Twitter’s IT department. Despite public guidance by numerous regulatory authorities, including NYSDFS, to identify and respond to cybersecurity risks during the pandemic, NYSDFS found that Twitter did not implement any significant compensating controls after March 2020 to mitigate this heightened risk to its remote workforce, and the hackers took advantage. The hackers here sought to commit garden-variety financial fraud, but the report emphasized that a similar “hack, when perpetrated by well-resourced adversaries, could wreak far greater damage by manipulating public perception about markets, elections, and more.”

The NYSDFS concluded that although Twitter is subject to generally applicable data privacy and cybersecurity laws, such as the California Consumer Privacy Act, the New York SHIELD Act, and the European Union’s General Data Protection Regulation, all of which regulates the storage and use of personal data, “there are no regulators that have the authority to uniformly regulate social media platforms that operate over the internet, and to address the cybersecurity concerns identified in this Report. That regulatory vacuum must be filled.”

While it remains to be seen if the NYSDFS’ report will ultimately result in momentum for the appointment of a new national cybersecurity regulator, social media and other consumer facing organizations should look at their own practices in light of the Twitter hack, and take steps now to address the risks to a remote workforce as outlined in our recent blog “Cybersecurity In The Age Of The Covid-19 Remote Worker and Beyond.

Back to Commercial Litigation Update Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Commercial Litigation Update posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.