[German]After 5.4 million user data of Twitter users or accounts were tapped by hackers via an API vulnerability and then shared in a hacker forum, the data protection authorities are also taking action. The data protection authority in Ireland, which is responsible for Twitter in Europe, announced on Dec. 23, 2022, that it would open a formal investigation against Twitter.
The Twitter hack
Twitter had a vulnerability in its API that allowed unauthorized third parties to access Twitter account data. The vulnerability was fixed in January 2022. However, cybercriminals managed to exploit this vulnerability beforehand and collect data. A massive data leak was uncovered by a security researcher in this context. The data from 5.4 million Twitter accounts was siphoned off and shared on a hacker forum. The data consists of tapped public information as well as private phone numbers and email addresses not intended for public use. I had reported in the blog post Twitter data privacy incident (August 2022) and in the German blog post Datenleck: 5,4 Millionen geklaute Twitter-Kontendaten kostenlos in Hackerforum geteilt.
Irish Data Protection Authority investigates
In a notification dated December 23, 2022, the Irish Data Protection Commission ("DPC") announces a formal investigation into the incident. It says the Data Protection Commission ("DPC") has launched an investigation under Section 110 of the Data Protection Act 2018. The investigation was triggered after several international media reports indicated that one or more collected datasets containing personal data of Twitter users had been made available on the internet.
These datasets reportedly contained personal data of approximately 5.4 million Twitter users worldwide, according to the DPC. In the datasets, Twitter IDs were reportedly associated with email addresses and/or phone numbers of the data subjects.
The DPC corresponded with Twitter International Unlimited Company ("TIC") regarding the reported personal data breach. The DPC then determined, after reviewing the information provided by Twitter to date in this matter, that one or more provisions of the EU General Data Protection Regulation (GDPR) may have been violated by the data leak.
Accordingly, the DPO considers it appropriate to determine whether the TIC has complied with its obligations as a controller in relation to the processing of personal data of its Users or whether the TIC has violated and/or is violating one or more provisions of the GDPR and/or the Act in this regard.
Cookies helps to fund this blog: Cookie settings