Twitter Hack May Bring Fine for Possible FTC Accord Violation

Twitter Inc. may face a large fine from U.S. regulators after a hack of several high-profile accounts including former President Barack Obama and Amazon.com Inc. Chief Executive Officer Jeff Bezos.

The Federal Trade Commission will review whether Twitter violated a 2010 settlement that resolved allegations that the company failed to safeguard consumer information in a 2009 hack, according to a person familiar with the matter. The 2009 incident, like the recent one, involved phony tweets from some accounts, including then President-elect Obama’s.

“As Yogi Berra used to say, this is déjà vu all over again,” said David Vladeck, a Georgetown University law professor who was director of the FTC’s Bureau of Consumer Protection at the time of the earlier hack settlement. The commission could start a new investigation or bring a complaint against Twitter for violating the terms of its existing agreement, Vladeck said.

The FTC agreement lasts 20 years, which gives the commission an opening to scrutinize whether Twitter violated the pact by misleading consumers about its security protections. The FTC doesn’t have authority to fine companies for deceiving consumers unless the company is already subject to an existing settlement. The agency last year approved a record $5 billion privacy settlement with Facebook Inc. to resolve the Cambridge Analytica data scandal. That fine stemmed from Facebook’s failure to comply with an earlier agreement with the agency.

The FTC declined to comment.

Chairman Joe Simons told the Senate in 2018 that when there is news of a data breach at a company, “then we are concerned about it and we are looking at it.”

“I’m sure that the FTC will look into it,” said Ashkan Soltani, former chief technologist for the agency who helped lead investigations into companies including Twitter. Soltani said the FTC would want to know how the hack happened and whether Twitter had adequate security.

Twitter, which declined to comment, is already facing a probe from the FBI’s San Francisco office and New York Attorney General Letitia James, who said the hack “raises serious concerns about data security and how platforms like Twitter could be used to harm public debate.”

The FTC’s case against Twitter a decade ago was the first of its kind against a social network. Twitter as part of the agreement had to have an independent auditor assess its security practices every other year for 10 years. It also needed to name an employee responsible for information security and conduct risk assessments and tests of its security controls.

Companies that violate FTC agreements tend to see fines or more enforcement actions the second time around, said Laura Jehl, global head of the privacy and cybersecurity practice at law firm McDermott Will & Emery.

“The FTC could do more” with Twitter, especially given that the company has seen other cybersecurity incidents since its settlement, Jehl said.

The latest hack was an apparent cryptocurrency scam, with compromised accounts tweeting a promise to double the money of anyone sending funds via Bitcoin within 30 minutes. In 2009, a phony Obama tweet offered more than 150,000 Twitter followers a chance to win $500 in gasoline.

Both seem to have involved hackers getting into accounts by targeting employees inside Twitter with access to internal controls.

“The insider threat problem is a really big deal for tech companies where their employees have so much access to sensitive data and processes,” Jehl said.

In January 2009, a hacker used an automated password-guessing tool to gain administrative control of Twitter. The password at the time was “a weak, lowercase, common dictionary word,” the FTC said.

The hacker then reset other passwords, letting intruders send phony tweets from accounts including Obama’s and that of Fox News.

A second breach occurred in April of that year, when a hacker was able to guess a Twitter employee’s password after compromising their personal email account.

To contact the reporters on this story:
Andrea Vittorio in Arlington at avittorio3@bloomberg.net;
David McLaughlin in Washington at dmclaughlin9@bloomberg.net

To contact the editors responsible for this story:
Sara Forden at sforden@bloomberg.net

John Hughes, Keith Perine

© 2020 Bloomberg L.P. All rights reserved. Used with permission.