Last month Twitter reported that it suffered a data security breach at the hands of hackers. While the details of the hack are still unclear, Twitter has stated that through “a coordinated social engineering attack by people who successfully targeted . . . employees with access to internal systems and tools,” hackers duped employees into handing over administrative access privileges. This enabled hackers to take over high-profile accounts; 130 accounts, including those of Barack Obama, Joe Biden, Jeff Bezos, and Elon Musk were compromised. Of these, hackers accessed the direct messaging of 36 accounts and sent tweets from them.
The fraudulent tweets stated that bitcoin sent to the bitcoin wallet included in the tweet would be doubled and returned to the sender. About 400 victims sent approximately $120,000.
The full extent of the breach is still unknown. The media has reported that some cybersecurity experts are concerned that the bitcoin scam may be masking a vast breach involving the personal communications of the world’s most powerful people. Investigations are ongoing.
The breach puts companies of all sizes on notice that even in our present climate, when there is so much to be concerned about, all businesses should be making cybersecurity and information handling a priority. In spite of the fact that we’re in the midst of a pandemic and the economy and many businesses have been battered, sound information privacy practices, such as employee training (the significance of which the Twitter breach illustrates), vendor policies and monitoring, privacy best practices, and appropriate cybersecurity measures are critical. These are especially important in our heavily remote working environment, where workers may be more distracted than usual or working via computers that are not adequately secure.
Many companies still believe that these are backburner issues. However, the constant parade of data breaches and the continued rapid development of privacy laws demonstrate otherwise.
A recent study by data privacy protection platform Osano reports that companies of all sizes that have poor privacy practices are 80% more likely to experience a data breach. According to the report, the highest number of data breaches were from hacker attacks (approximately 85%) and “inside jobs” (approximately 6.7%; most but not all occurred in the financial sector) which occur, for example, by or with the assistance of employees. Other types of data breaches (inadvertent disclosure, lost device, etc.) constituted 1% each. Governments are most likely to be breached, and government and education websites are many more times likely to experience a breach than commercial websites.
In addition to being aware that they could be vulnerable to a data breach, companies both large and small should be cognizant of the fact that there are federal and state privacy and data security laws that are applicable to them. Lack of compliance can lead to regulatory investigations and fines, consumer lawsuits, bad publicity, and loss of consumer confidence and clientele.
Businesses of all sizes should consult with privacy professionals to evaluate their privacy practices and fulfill their data privacy and data security compliance obligations.
By Gille Ann Rabbin, Esq.,