Twitter Hack Probe: Calls for Social Media Cybersecurity Rules

A New York State Department of Financial Services (NYSDFS) inquiry concerning this summer’s Twitter security breach culminated in a strong criticism of the platform’s vulnerability to a straightforward social engineering tactic – and a broader recommendation for increased security regulation of major social media companies.

The NYSDFS report highlights, as a contrasting illustration, the prompt response of regulated cryptocurrency businesses in preventing further exploitation by the Twitter hackers, suggesting that technological advancement and regulatory oversight are not inherently incompatible.

The central argument presented is that the largest social media networks wield substantial influence over society, and consequently carry significant consumer risk, yet operate without mandated responsibilities to safeguard their users.

The report’s conclusion emphasizes the need for immediate action by U.S. legislators, proposing the creation of a supervisory body to identify “systemically important social media companies” and the appointment of a suitable regulator to oversee and monitor the security protocols of prominent social media platforms.

“Social media platforms have become essential for communication: over half of Americans rely on these services for news and to connect with their network of contacts. This development necessitates a regulatory framework that recognizes social media as vital infrastructure,” the NYSDFS states, further noting the absence of a dedicated state or federal agency with the authority to enforce sufficient cybersecurity measures to prevent fraud, misinformation, and other widespread threats to major social media services.

“The Twitter Hack vividly illustrates the societal dangers when critical institutions are permitted to self-regulate,” the report continues. “Protecting systemically important social media from misuse is vital for everyone – individuals, voters, the government, and the business sector. Governmental intervention is required without delay.”

We have contacted Twitter for a statement regarding the report.

Key findings from the Department’s investigation reveal that the hackers gained access to Twitter’s systems by contacting employees while posing as members of the company’s IT department – a simple social engineering technique that successfully deceived four employees into disclosing their login credentials. This allowed the perpetrators to compromise the Twitter accounts of well-known political figures, celebrities, and business leaders, including Barack Obama, Kim Kardashian West, Jeff Bezos, Elon Musk, and several cryptocurrency firms – subsequently utilizing these accounts to disseminate a cryptocurrency scam to a vast user base.

Twitter has previously acknowledged that a “phone spear phishing” attack was employed to obtain these credentials.

According to the report, the hackers’ “double your bitcoin” scam messages, which included links for bitcoin payments, resulted in the theft of over $118,000 worth of bitcoins from Twitter users.

However, a significantly larger amount of funds was protected due to the rapid intervention of regulated cryptocurrency companies – specifically Coinbase, Square, Gemini Trust Company, and Bitstamp – which the Department states blocked numerous attempted transfers by the fraudsters.

“This quick response prevented over 6,000 attempted transfers, totaling approximately $1.5 million, from reaching the Hackers’ bitcoin addresses,” the report details.

The report also points out that Twitter lacked a cybersecurity chief at the time of the breach, following the departure of Mike Convertino in December 2019 to join cyber resilience firm Arceo, and the position remained unfilled.

Last month, the company announced the appointment of Rinki Sethi as CISO.

“Despite functioning as a global social media platform with over 330 million average monthly users in 2019, Twitter did not maintain sufficient cybersecurity safeguards,” the NYSDFS writes. “At the time of the attack, Twitter lacked a chief information security officer, appropriate access controls and identity management systems, and adequate security monitoring – all of which are fundamental requirements of the Department’s pioneering cybersecurity regulation.”

Existing European Union data protection legislation already incorporates security requirements within a comprehensive privacy and security framework (with substantial penalties possible for security violations). However, an investigation by the Irish DPC into a 2018 Twitter security incident remains unresolved, as a draft decision failed to secure the support of other EU data protection authorities this August, leading to further delays in the pan-EU regulatory process.

This article has been updated to correct an error: Twitter had not replaced Mike Convertino as CISO, rather than Michael Coates, who also previously held the position but left Twitter in March 2019, not March 2020 as originally reported