The Data Protection Commission (DPC) of Ireland, the lead European Union (EU) privacy supervisor, has fined Twitter €450,000 or approximately $547k for failing to properly notify the supervising authority of a data breach under the new General Data Privacy Regulations set by the EU.
The investigation started in January 2019 when the watchdog received a notification from Twitter that it had experienced a breach in its system which could have potentially leaked the data of users. The DPC found that Twitter violated Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time (within 72 hours) to the DPC and a failure to adequately document the breach.
The data breach arose from a bug in Twitter’s design, due to which, if a user on an Android device changed the email address associated with their Twitter account, the protected tweets became unprotected and therefore accessible to a wider public (and not just the user’s followers), without the user’s knowledge. The bug was discovered on 26 December 2018 by the external contractor managing the company’s “bug bounty program”, which is a program whereby anyone may submit a bug report.
The bug reportedly affected around 88,726 users between September 2017 to January 2019 alone when it was fixed but it was traced back to a code change made in 2014 suggesting that the actual affected users may be higher.
This is the first decision taken under the new GDPR that the EU has set to protect the privacy of its users. The watchdog also has a backlog of around 20+ ongoing cases against the likes of Facebook, WhatsApp, Google, Apple, etc.
Image Source: AP