Support 100 years of independent journalism.

  1. Science & Tech
16 July 2020updated 01 Jul 2021 12:14pm

Could Twitter face legal fallout from the blue-tick hack?

After one of the most high-profile cyber attacks in history, the social media company could suffer steep fines. 

By Laurie Clarke

For a brief period on Wednesday evening (15 July), Twitter was a quieter and more peaceful place. Verified accounts – the much-maligned “Blue Tick” monolith – were abruptly silenced. An attack which compromised the accounts of a range of the world’s most high-profile celebrities and politicians prompted the platform to suspend tweeting rights for two hours while attempting to remedy the issue.

From Elon Musk to Bill Gates, billionaires began announcing a sudden eagerness to “give back to the community” in the form of Bitcoin payments. Some appear to have fallen for the scam. The short-lived link in the compromised accounts’ tweets showed hundreds of contributions that totalled more than $100,000 – although it’s been pointed out hackers sometimes donate to their own funds to increase the appearance of legitimacy. It’s an unprecedented hack on the platform – could Twitter face legal fallout?

The site has said that the attack was the result of a social engineering attack. Employees with “access to internal systems and tools” were apparently successfully targeted by the hackers. “We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it,” the company tweeted. There remains the question of whether the hackers would have been able to see messages and other sensitive information linked to the hacked accounts.

Motherboard reported that a Twitter insider was responsible for the activity and was apparently paid by hackers. “We used a rep that literally done all the work for us,” one of the attackers told the publication.

But regardless of whether the hack was the result of compromised systems or negligent employees, Twitter could potentially face legal action under GDPR if any EU citizen was affected either by being a victim of the hack or sending cash in response to the scammy tweets.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. The New Statesman’s global affairs newsletter, every Monday and Friday. Your new guide to the best writing on ideas, politics, books and culture each weekend - from the New Statesman. A weekly newsletter helping you fit together the pieces of the global economic slowdown. A newsletter showcasing the finest writing from the ideas section, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

Toni Vitale, head of data protection at JMW Solicitors, said that the UK Information Commissioner’s Office can levy fines in cases where “they don’t think Twitter had adequate steps in place”. “They can investigate and they can take action, and the biggest sanction is a fine, which is up to 4 per cent of Twitter’s global annual turnover.” The ICO hasn’t been reticent to act on foreign companies. It’s sanctioned Facebook before for failing to adequately protect users’ personal data.

Under GDPR, it’s a company’s responsibility to not only secure IT systems, but to train its staff to be alert to email spoofing and other social engineering attacks – the type which Twitter said a staff member fell prey to. Vitale said those affected could seek compensation. “There are lots of claim-handling companies that will take on class action suit on behalf of claimants and they may well get some damages.” However, in cases where it’s not sensitive personal data that has been hacked, the damages would be fairly low. “We’re talking probably in the hundreds of pounds per person,” says Vitale.

For those affected, this might just be the beginning. People who fall for such scams are often added to lists of “vulnerable” people that are circulated on the dark web. “My advice to anyone that sent Bitcoins in response to this is to very carefully monitor your systems, change your Twitter password straight away,” says Vitale. “It may well be that you’ve made yourself more likely to be a target of other hackers.”

Could those targeted band together to launch a blue-tick class action lawsuit? Theoretically they could, but it’s unlikely given the high net worth individuals targeted. “It could be that somebody with a bit of an axe to grind against Twitter might well decide to bring an action as a point to make a point,” says Vitale. Donald Trump is notorious for his high-profile rifts with the platform, but it’s unclear yet if his account was compromised.

In the US, it’s less likely that such action would be fruitful anyway. There are some data protection laws for healthcare at the federal level, but the country doesn’t have an equivalent to the ICO, and most states don’t have data laws anywhere near as comprehensive as the EU. California is one of the exceptions, but New York recently failed to pass legislation that would grant more data rights. In view of this, unless individuals choose to take action, Twitter could well get away with a tap on the wrist.

Topics in this article :