Twitter fined half a million dollars for late data breach reporting
Twitter has been issued a big fine for late reporting of a data breach under GDPR rules.
Ireland’s Data Protection Commission slapped a fine of €450,000 ($547,000) on the social media company for failing to report an issue — which saw protected tweets become unprotected for some Android users — within the legally required timeframe per Europe's General Data Protection Regulation.
The DPC made its final decision on Tuesday after an investigation that commenced in Jan. 2019. Following a data breach in the 2018 holiday period, Twitter did notify the DPC, but the commission found that the company had reported it outside the 72-hour statutory notice period required under GDPR, and in doing so, "infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach."
The DPC described its €450,000 fine as "an effective, proportionate, and dissuasive measure."
It's not as hefty a fine as those Google's been slapped with in the EU, but it's significant one. The DPC's decision is one of the first to go through the "dispute resolution" process since the introduction of the GDPR.
SEE ALSO:Thanks to Brexit, British Google user data will be moved to U.S.The data breach itself was connected to a much older bug in Twitter's code, according to the investigation, and was affecting protected tweets on Android devices.
"The data breach arose from a bug in Twitter's design, due to which, if a user on an Android device changed the email address associated with their Twitter account, the protected tweets became unprotected and therefore accessible to a wider public (and not just the user's followers), without the user's knowledge," reads the report. "During its investigation, Twitter discovered additional user actions that would also lead to the same unintentional result."
A bug was discovered on Dec. 26, 2018, according to the DPC's report, by an external contractor managing Twitter's bug bounty program, which allows anyone to report bugs. Twitter confirmed in the report that the bug was traced back to a code change made on Nov. 4, 2014 — and that between Sept. 5, 2017 and Jan. 11, 2019, 88,726 EU and EEA users were affected. This contractor shared the result with Twitter in the U.S. on Dec. 29, then on Jan. 2, Twitter's Information Security Team reviewed it, and decided "it was not a security issue but that it might be a data protection issue." Then, Twitter's legal team was notified, who decided the issue should be treated as an incident. On Jan. 4, Twitter triggered the incident response process "but due to a mistake in applying the internal procedure," the Global Data Protection Officer was not added to the incident ticket and wasn't notified until Dec. 7. Then, on Jan. 8, Twitter notified Ireland's DPC through its cross-border breach notification form, and the investigation commenced.
According to Twitter, the statutory reporting process to the DPC worked properly between May 25, 2018 and Dec. 2018, but due to lessened staffing over the 2018 holiday period between Christmas Day and New Years Day, there was a delay in the incident response process.
In a statement attributable to Damien Kieran, Twitter’s chief privacy officer and global data protection officer, the company said it had fully cooperated with the DPC on its investigation.
“Twitter worked closely with the Irish Data Protection Commission (IDPC) to support their investigation. We have a shared commitment to online security and privacy, and we respect the IDPC’s decision, which relates to a failure in our incident response process," he said.
Twitter said the reporting delay was an operational error due to reduced staffing over the holidays.
"An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion," said Kieran.
“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.”
Tweet may have been deleted
According to Twitter, since this incident, all reports to the DPC have happened within the 72 hour statutory period. However, the holiday period for 2020 is just around the corner...
-
NYT Strands hints, answers for August 29鎵撳崱宕傚北锛屾媿鍑哄北娴蜂箣椋庨!绗簩灞娾€滃搧璐ㄥ磦灞扁€濈煭瑙嗛澶ц禌姝e紡寮€鍚痏涓浗灞变笢缃慱闈掑矝名人“流连不忍去的地方”,为什么是市南?浜ら€氶摱琛屽彂甯?022骞村害缁忚惀涓氱哗Military prosecutors indict intel official over leaking 'black agent' info这场顶级的雕塑大展在青岛黄盒子美术馆开幕!先睹为快中国平安300亿保额护航深圳马拉松,长期支持中国体育事业发展欢乐奔跑在方特!青岛方特熊出没亲子跑火热报名中Anatomy of a Keyboard京东方最大移动显示模组制造单体工厂产品点亮并顺利量产
- ·[Online Predators] Deepfake pornography haunts S. Korea
- ·娑﹀痉淇韩 鐢扮ゥ婀戠殑涔︽硶鎺㈢储涓庝汉鐢熷鐣宊涓浗灞变笢缃慱闈掑矝
- ·闈掑矝鍙戝竷姘戣惀缁忔祹鍜屼腑灏忎紒涓氭湇鍔℃椿鍔ㄦ垚鏋滐紝棣栧彂鈥滄櫙姘斺€濇寚鏁版姤鍛奯涓浗灞变笢缃慱闈掑矝
- ·青岛工行成功开办本外币合一银行账户服务
- ·12 Sculptures Made From Recycled Materials
- ·青岛市青年书法家协会四届四次主席团会议召开
- ·艺术灯光互动装置“装扮”金沙滩啤酒城
- ·青岛往事之中山路上“不服老”的老字号(一)
- ·50 Places to Eat and Drink Before You Die
- ·2022鍚屽績鐖卞績琛屾毃鍏ㄥ浗灏戝効鏂囪壓灞曟紨閫夋嫈娲诲姩鍚姩
- ·“幸福市南”文化惠民进社区古筝艺术展演在奥帆中心举行
- ·青岛资助274个博士后创新项目1650万元,落地对接30个
- ·Ruling bloc seeks tougher sentences for deepfake sex crimes
- ·佛冈水头:创建全省一流中医药特色卫生院,打造“带不走的医疗队”
- ·青岛移动公益课堂:《反电信网络诈骗法》将如何影响您的生活
- ·青岛市南文化惠民:楼宇大厅也能秒变音乐现场 “青文驿”走进海航万邦
- ·Eng name ODI, T20I squads for Aus series
- ·青岛市书法家协会五届十六次主席团扩大会议召开
- ·京东方最大移动显示模组制造单体工厂产品点亮并顺利量产
- ·青岛工行成功开办本外币合一银行账户服务
- ·GPU Mining is Dead, Where are my Cheap GPUs?
- ·关爱受灾学子 做到应助尽助
- ·平安人寿青岛分公司:开展黑产打击专项工作 维护保险消费者合法权益
- ·中国平安300亿保额护航深圳马拉松,长期支持中国体育事业发展
- ·NASA's new plan keeps Starliner astronauts in space until 2025
- ·“幸福市南”文化惠民进社区古筝艺术展演在奥帆中心举行
- ·[Exclusive] Samsung unsure of Suga's future as brand ambassador: source
- ·青岛移动公益课堂:《反电信网络诈骗法》将如何影响您的生活
- ·12月29日起,海信探索中心恢复开放!开年门票福利,大小同价138元!
- ·国庆假期即将来临 6条精品旅游线路让你畅游雅安
- ·NASA rover snaps photo of its most daunting challenge yet
- ·市南区“N+书坊”阅读主题活动——首期“光影市南”影视分享会在中国电影院举办
- ·2022鍚屽績鐖卞績琛屾毃鍏ㄥ浗灏戝効鏂囪壓灞曟紨閫夋嫈娲诲姩鍚姩
- ·青岛市人社局部署开展“深化作风能力优化营商环境”专项行动
- ·NYT mini crossword answers for August 29
- ·从源头清除隐患!城阳交警开展秋季危化品运输企业大排查、大整治