The European Union’s General Data Protection Regulation (GDPR) came into effect on May 25th, 2018 and is designed to protect user’s data and privacy. Recently Ireland’s Data Protection Commission (DPC) fined Twitter €450,000 for violating the GDPR for not reporting a data breach to the DPC within 72 hours. The breach was caused by an Android app bug that was discovered by Twitter in January of 2019. The bug turned off the “protect your tweets” feature for Android users and modified account settings such as associated email addresses. The bug was in operation from November 2014 until January 3rd, 2019. Twitter notified the DPC on January 8th, 2019. Twitter took full responsibility for the mistake and cooperated fully with the DPC during their investigation.
Analyst Notes
Regulators are cracking down on data protection regulations; the fines suggest they are getting more serious about organizations that do not properly protect consumer data. Marriott was fined $124 million after a data breach. In 2019, Equifax agreed to pay $575 million for its 2017 data breach. Threat actors will continue to find creative ways to infiltrate companies and exploit user data. When an attack makes it through the outer layers of defense, it is important to have sufficient monitoring of endpoints and network devices, with a quick response from a Security Operations Center that operates 24 hours a day, every day. Twitter claimed the reason for not responding within the 72-hour timeline was a result of a staffing issue between Christmas day and New Year’s Day. The Binary Defense Security Operations Center monitors for cyber threats 24/7, while the Counterintelligence service monitors for leaked information, including passwords, associated with clients’ brand names and domain names.
Sources: https://www.bleepingcomputer.com/news/technology/twitter-fined-by-eu-data-protection-watchdog-for-gdpr-breach/
https://www.bleepingcomputer.com/news/security/twitter-fixes-four-year-old-bug-in-android-app-exposing-private-tweets/
