Cybersecurity Lessons from the Twitter Hack as New York’s Chief Financial Services Regulator Calls for a Dedicated Cybersecurity Regulator of Large Social Media Companies

There are cybersecurity lessons to be learned from high profile data breaches and the ensuing regulatory responses. The recent well-publicized Twitter hack is no different. According to the New York State Department of Financial Services (“NYSDFS”) investigation and report, on July 15, 2020, a 17-year old hacker and his accomplices easily misled Twitter’s employees into disclosing their credentials resulting in a breach of Twitter’s network and the hackers’ takeover of accounts assigned to high-profile users in just a 24-hour period. The NYSDFS concluded that Twitter’s cybersecurity safeguards were inadequate, permitting the hackers to impersonate politicians, celebrities, entrepreneurs and several cryptocurrency companies by abusing their Twitter accounts to solicit bitcoin payments in a “double your bitcoin” scam. The top takeaways were that social media and consumer organizations should conduct comprehensive workforce cybersecurity training, have strong cybersecurity leadership that effectively manages account access and authentication and utilize a Security Incident Event Management (SIEM) solution to detect and respond to threats in real time. Notably, in light of its findings, the NYSDFS is now calling for the dedicated cybersecurity regulation of large social media companies akin to the NYSDFS cybersecurity regulation for financial services organizations because “[t]he risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions.”

The NYSDFS found that the hackers acted like garden variety fraudsters by duping Twitter employees into entering their credentials on a phishing website by pretending to be calling from the Help Desk of Twitter’s Information Technology department about recent issues with Twitter’s VPN. The employees were directed by the hackers to sign into a website, which looked identical to the Twitter VPN website and was hosted by a similar domain, but was in reality a phony website controlled by the hackers. As the employees entered their credentials in the phony website, the hackers simultaneously entered their credentials in Twitter’s real VPN website. The hackers gained account access after the false login generated a 2^nd factor notification to the employees’ mobile phones to authenticate themselves, which some of the employees did. After gaining access to the network, the hackers successfully escalated their attack by targeting other Twitter employees who had a higher level of privilege with access to internal tools permitting the takeover of high profile user accounts.

The NYSDFS concluded: “The Twitter Hack is a cautionary tale about the extraordinary damage that can be caused even by unsophisticated cybercriminals. The Hackers’ success was due in large part to weaknesses in Twitter’s internal cybersecurity protocols.” The NYSDFS found that Twitter had no chief information security officer since December 2019, seven months before the Twitter hack. The report also found that the hackers directly exploited Twitter’s shift to remote working during the pandemic. According to the NYSDFS: “The ramp up to total remote working in March 2020 put a strain on Twitter’s technology infrastructure, and employees had frequent problems with the VPN connections to the network. The hackers took advantage of these issues and pretended to be calling from Twitter’s IT department about a VPN problem.” The hackers had researched Twitter’s organization learning basic functions and titles of Twitter employees, so they could more effectively impersonate Twitter’s IT department. Despite public guidance by numerous regulatory authorities, including NYSDFS, to identify and respond to cybersecurity risks during the pandemic, NYSDFS found that Twitter did not implement any significant compensating controls after March 2020 to mitigate this heightened risk to its remote workforce, and the hackers took advantage. The hackers here sought to commit garden-variety financial fraud, but the report emphasized that a similar “hack, when perpetrated by well-resourced adversaries, could wreak far greater damage by manipulating public perception about markets, elections, and more.”

The NYSDFS concluded that although Twitter is subject to generally applicable data privacy and cybersecurity laws, such as the California Consumer Privacy Act, the New York SHIELD Act, and the European Union’s General Data Protection Regulation, all of which regulates the storage and use of personal data, “there are no regulators that have the authority to uniformly regulate social media platforms that operate over the internet, and to address the cybersecurity concerns identified in this Report. That regulatory vacuum must be filled.”

While it remains to be seen if the NYSDFS’ report will ultimately result in momentum for the appointment of a new national cybersecurity regulator, social media and other consumer facing organizations should look at their own practices in light of the Twitter hack, and take steps now to address the risks to a remote workforce as outlined in our recent blog “Cybersecurity In The Age Of The Covid-19 Remote Worker and Beyond.”