“As Yogi Berra used to say, this is déjà vu all over again,” said
The FTC agreement lasts 20 years, which gives the commission an opening to scrutinize whether Twitter violated the pact by misleading consumers about its security protections. The FTC doesn’t have authority to fine companies for deceiving consumers unless the company is already subject to an existing settlement. The agency last year approved a
The FTC declined to comment.
“I’m sure that the FTC will look into it,” said
Twitter, which declined to comment, is already facing a
The FTC’s case against Twitter a decade ago was the first of its kind against a social network. Twitter as part of the agreement had to have an independent auditor assess its security practices every other year for 10 years. It also needed to name an employee responsible for information security and conduct risk assessments and tests of its security controls.
Companies that violate FTC agreements tend to see fines or more enforcement actions the second time around, said
“The FTC could do more” with Twitter, especially given that the company has seen other cybersecurity incidents since its settlement, Jehl said.
The latest hack was an apparent cryptocurrency scam, with compromised accounts tweeting a promise to double the money of anyone sending funds via Bitcoin within 30 minutes. In 2009, a phony Obama tweet offered more than 150,000 Twitter followers a chance to win $500 in gasoline.
Both seem to have involved hackers getting into accounts by targeting employees inside Twitter with access to internal controls.
“The insider threat problem is a really big deal for tech companies where their employees have so much access to sensitive data and processes,” Jehl said.
In January 2009, a hacker used an automated password-guessing tool to gain administrative control of Twitter. The password at the time was “a weak, lowercase, common dictionary word,” the FTC said.
The hacker then reset other passwords, letting intruders send phony tweets from accounts including Obama’s and that of Fox News.
A second breach occurred in April of that year, when a hacker was able to guess a Twitter employee’s password after compromising their personal email account.
To contact the editors responsible for this story:
John Hughes, Keith Perine
© 2020 Bloomberg L.P. All rights reserved. Used with permission.