Regulators in Ireland have fined Twitter for failing to report a data breach promptly and not adequately documenting the incident, marking the first time the regulator has penalized a “big tech” company for violations of Europe’s data protection law.
The fine of 450,000 euros, or about $550,000, stems from a bug that allowed thousands of people’s private tweets to be made public between late 2014 and early 2019, when Twitter reported the problem to European authorities. The social media company said it could only identify specific users affected by the breach from September 2017 onward — about 89,000 total over that stretch. The bug only affected users of Twitter’s Android app.
Ireland’s Data Protection Commission issued the decision Tuesday on behalf of the European Union, under the EU’s General Data Protection Regulation (GDPR). Twitter’s European headquarters are in Ireland, as are those of Google, Facebook and several other multibillion-dollar U.S. tech companies, meaning the Irish regulator often takes the lead on this kind of incident.
The DPC called the fine “effective, proportionate and dissuasive measure.” Twitter found out about the breach in December 2018, but did not notify the commission until Jan. 8, 2019 — well beyond the 72-hour window stipulated under GDPR. The commission also said Twitter failed to comply with rules allowing for full documentation of which users were affected and when. GDPR went into effect in May 2018.
Twitter announced the bug publicly on Jan. 17, 2019. Before that patch was issued, if a user of the Android version of the company’s app happened to change the email address associated with their account, the “Protect Your Tweets” feature was inadvertently disabled.
In a statement issued Tuesday to multiple news outlets, the company said it had worked with EU regulators closely on the incident.
“We respect the commission’s decision, which relates to a failure in our incident response process … we have made changes so that all incidents following this have been reported to the commission in a timely fashion,” said Damien Kiernan, Twitter’s chief privacy and global data protection officer, according to the Irish Times.
Twitter has taken steps this year to boost its security credentials, including hiring influential hacker Peiter “Mudge” Zatko as its security chief last month. The company has regularly found itself on the front lines in battling public misinformation about the coronavirus pandemic and the 2020 elections in the U.S.