Twitter may be facing a Federal Trade Commission (FTC) fine of up to $250 million, after the social media giant last year revealed the improper use of users’ email addresses and phone numbers.
In October 2019, Twitter acknowledged that user phone numbers and email addresses gathered for security purposes, as part of its two-factor authentication (2FA) policy, may have been used for targeted advertising between 2013 and 2019. It claimed that the move was an accident.
Fast forward to this week, in a 10-Q form filed with the Securities and Exchange Commission (SEC), the company said that on July 28, 2020, it received a draft complaint from the FTC regarding the incident. The complaint alleged violations of Twitter’s 2011 consent order with the FTC. This consent order demanded that Twitter not mislead customers about how it uses their information, for 20 years.
“The Company estimates that the range of probable loss in this matter is $150.0 million to $250.0 million and has recorded an accrual of $150.0 million,” according to Twitter’s SEC filing. “The accrual is included in accrued and other current liabilities in the consolidated balance sheet and in general and administrative expenses in the consolidated statements of operations.”
In its October 2019 notice about the improper data use, Twitter explained that it had matched its users to advertisers’ marketing lists based on the email or phone number the Twitter account holder provided during two-factor authentication. Twitter did not disclose exactly when they discovered what was happening but said that “as of Sept. 17,” the issue has been addressed. At the time, security experts widely criticized Twitter for its obvious breach of user privacy, particularly since it occurred via a scenario that was meant to bolster user security, not violate it.
Looking ahead, Twitter in its SEC filing said that “the matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.”
Over the past year, a slew of fines and penalties were imposed that were tied privacy and data breach incidents. In July 2019, the FTC slapped a $5 billion fine on Facebook for privacy violations following its Cambridge Analytica incident. Also hit with security-related fines in July were Marriott ($123 million) and British Airways ($230 million).
Twitter for its part has had its fair share of privacy issues – including a recent high-profile Twitter hack that compromised 130 accounts of high-profile users such as Bill Gates, Elon Musk, Apple and Uber – to promote a bogus advance-fee cryptocurrency deal. As part of this attack, the bad actors were able to access direct messages (DMs) for 36 of the 130 high-profile users whose accounts were hacked. Over the past few years, Twitter has faced other security issues: In 2018, a bug caused account passwords to be stored in plain text on an internal log; and that same year, a flaw was disclosed that enabled software developers to read users’ private direct messages.
Threatpost has reached out to both Twitter and the FTC for further comment.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.