Twitter has been issued a big fine for late reporting of a data breach under GDPR rules.
Ireland’s Data Protection Commission slapped a fine of €450,000 ($547,000) on the social media company for failing to report an issue — which saw protected tweets become unprotected for some Android users — within the legally required timeframe per Europe’s General Data Protection Regulation.
The DPC made its final decision on Tuesday after an investigation that commenced in Jan. 2019. Following a data breach in the 2018 holiday period, Twitter did notify the DPC, but the commission found that the company had reported it outside the 72-hour statutory notice period required under GDPR, and in doing so, “infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach.”
The DPC described its €450,000 fine as “an effective, proportionate, and dissuasive measure.”
It’s not as hefty a fine as those Google’s been slapped with in the EU, but it’s significant one. The DPC’s decision is one of the first to go through the “dispute resolution” process since the introduction of the GDPR.
The data breach itself was connected to a much older bug in Twitter’s code, according to the investigation, and was affecting protected tweets on Android devices.
“The data breach arose from a bug in Twitter’s design, due to which, if a user on an Android device changed the email address associated with their Twitter account, the protected tweets became unprotected and therefore accessible to a wider public (and not just the user’s followers), without the user’s knowledge,” reads the report. “During its investigation, Twitter discovered additional user actions that would also lead to the same unintentional result.”
A bug was discovered on Dec. 26, 2018, according to the DPC’s report, by an external contractor managing Twitter’s bug bounty program, which allows anyone to report bugs. Twitter confirmed in the report that the bug was traced back to a code change made on Nov. 4, 2014 — and that between Sept. 5, 2017 and Jan. 11, 2019, 88,726 EU and EEA users were affected. This contractor shared the result with Twitter in the U.S. on Dec. 29, then on Jan. 2, Twitter’s Information Security Team reviewed it, and decided “it was not a security issue but that it might be a data protection issue.” Then, Twitter’s legal team was notified, who decided the issue should be treated as an incident. On Jan. 4, Twitter triggered the incident response process “but due to a mistake in applying the internal procedure,” the Global Data Protection Officer was not added to the incident ticket and wasn’t notified until Dec. 7. Then, on Jan. 8, Twitter notified Ireland’s DPC through its cross-border breach notification form, and the investigation commenced.
According to Twitter, the statutory reporting process to the DPC worked properly between May 25, 2018 and Dec. 2018, but due to lessened staffing over the 2018 holiday period between Christmas Day and New Years Day, there was a delay in the incident response process.
In a statement attributable to Damien Kieran, Twitter’s chief privacy officer and global data protection officer, the company said it had fully cooperated with the DPC on its investigation.
“Twitter worked closely with the Irish Data Protection Commission (IDPC) to support their investigation. We have a shared commitment to online security and privacy, and we respect the IDPC’s decision, which relates to a failure in our incident response process,” he said.
Twitter said the reporting delay was an operational error due to reduced staffing over the holidays.
“An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion,” said Kieran.
“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.”
We take full responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We’re sorry it happened.
— Twitter Comms (@TwitterComms) December 15, 2020
According to Twitter, since this incident, all reports to the DPC have happened within the 72 hour statutory period. However, the holiday period for 2020 is just around the corner…