Support 100 years of independent journalism.

  1. Science & Tech
16 July 2020updated 01 Jul 2021 12:14pm

Could Twitter face legal fallout from the blue-tick hack?

After one of the most high-profile cyber attacks in history, the social media company could suffer steep fines. 

By Laurie Clarke

For a brief period on Wednesday evening (15 July), Twitter was a quieter and more peaceful place. Verified accounts – the much-maligned “Blue Tick” monolith – were abruptly silenced. An attack which compromised the accounts of a range of the world’s most high-profile celebrities and politicians prompted the platform to suspend tweeting rights for two hours while attempting to remedy the issue.

From Elon Musk to Bill Gates, billionaires began announcing a sudden eagerness to “give back to the community” in the form of Bitcoin payments. Some appear to have fallen for the scam. The short-lived link in the compromised accounts’ tweets showed hundreds of contributions that totalled more than $100,000 – although it’s been pointed out hackers sometimes donate to their own funds to increase the appearance of legitimacy. It’s an unprecedented hack on the platform – could Twitter face legal fallout?

The site has said that the attack was the result of a social engineering attack. Employees with “access to internal systems and tools” were apparently successfully targeted by the hackers. “We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it,” the company tweeted. There remains the question of whether the hackers would have been able to see messages and other sensitive information linked to the hacked accounts.

Motherboard reported that a Twitter insider was responsible for the activity and was apparently paid by hackers. “We used a rep that literally done all the work for us,” one of the attackers told the publication.

But regardless of whether the hack was the result of compromised systems or negligent employees, Twitter could potentially face legal action under GDPR if any EU citizen was affected either by being a victim of the hack or sending cash in response to the scammy tweets.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. Quick and essential guide to domestic and global politics from the New Statesman's politics team. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. A handy, three-minute glance at the week ahead in companies, markets, regulation and investment, landing in your inbox every Monday morning. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.

Toni Vitale, head of data protection at JMW Solicitors, said that the UK Information Commissioner’s Office can levy fines in cases where “they don’t think Twitter had adequate steps in place”. “They can investigate and they can take action, and the biggest sanction is a fine, which is up to 4 per cent of Twitter’s global annual turnover.” The ICO hasn’t been reticent to act on foreign companies. It’s sanctioned Facebook before for failing to adequately protect users’ personal data.

Content from our partners
How do we secure the hybrid office?
How materials innovation can help achieve net zero and level-up the UK
Fantastic mental well-being strategies and where to find them

Under GDPR, it’s a company’s responsibility to not only secure IT systems, but to train its staff to be alert to email spoofing and other social engineering attacks – the type which Twitter said a staff member fell prey to. Vitale said those affected could seek compensation. “There are lots of claim-handling companies that will take on class action suit on behalf of claimants and they may well get some damages.” However, in cases where it’s not sensitive personal data that has been hacked, the damages would be fairly low. “We’re talking probably in the hundreds of pounds per person,” says Vitale.

For those affected, this might just be the beginning. People who fall for such scams are often added to lists of “vulnerable” people that are circulated on the dark web. “My advice to anyone that sent Bitcoins in response to this is to very carefully monitor your systems, change your Twitter password straight away,” says Vitale. “It may well be that you’ve made yourself more likely to be a target of other hackers.”

Could those targeted band together to launch a blue-tick class action lawsuit? Theoretically they could, but it’s unlikely given the high net worth individuals targeted. “It could be that somebody with a bit of an axe to grind against Twitter might well decide to bring an action as a point to make a point,” says Vitale. Donald Trump is notorious for his high-profile rifts with the platform, but it’s unclear yet if his account was compromised.

In the US, it’s less likely that such action would be fruitful anyway. There are some data protection laws for healthcare at the federal level, but the country doesn’t have an equivalent to the ICO, and most states don’t have data laws anywhere near as comprehensive as the EU. California is one of the exceptions, but New York recently failed to pass legislation that would grant more data rights. In view of this, unless individuals choose to take action, Twitter could well get away with a tap on the wrist.

Topics in this article: