Could Twitter face legal fallout from the blue-tick hack?

After one of the most high-profile cyber attacks in history, the social media company could suffer steep fines. 

Sign Up

Get the New Statesman's Morning Call email.

For a brief period on Wednesday evening (15 July), Twitter was a quieter and more peaceful place. Verified accounts – the much-maligned "Blue Tick" monolith – were abruptly silenced. An attack which compromised the accounts of a range of the world’s most high-profile celebrities and politicians prompted the platform to suspend tweeting rights for two hours while attempting to remedy the issue.

From Elon Musk to Bill Gates, billionaires began announcing a sudden eagerness to "give back to the community" in the form of Bitcoin payments. Some appear to have fallen for the scam. The short-lived link in the compromised accounts' tweets showed hundreds of contributions that totalled more than $100,000 – although it's been pointed out hackers sometimes donate to their own funds to increase the appearance of legitimacy. It's an unprecedented hack on the platform – could Twitter face legal fallout?

The site has said that the attack was the result of a social engineering attack. Employees with “access to internal systems and tools” were apparently successfully targeted by the hackers. “We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it,” the company tweeted. There remains the question of whether the hackers would have been able to see messages and other sensitive information linked to the hacked accounts.

Motherboard reported that a Twitter insider was responsible for the activity and was apparently paid by hackers. "We used a rep that literally done all the work for us," one of the attackers told the publication.

But regardless of whether the hack was the result of compromised systems or negligent employees, Twitter could potentially face legal action under GDPR if any EU citizen was affected either by being a victim of the hack or sending cash in response to the scammy tweets.

Toni Vitale, head of data protection at JMW Solicitors, said that the UK Information Commissioner's Office can levy fines in cases where "they don't think Twitter had adequate steps in place". "They can investigate and they can take action, and the biggest sanction is a fine, which is up to 4 per cent of Twitter's global annual turnover.” The ICO hasn’t been reticent to act on foreign companies. It's sanctioned Facebook before for failing to adequately protect users' personal data.

Under GDPR, it's a company's responsibility to not only secure IT systems, but to train its staff to be alert to email spoofing and other social engineering attacks – the type which Twitter said a staff member fell prey to. Vitale said those affected could seek compensation. "There are lots of claim-handling companies that will take on class action suit on behalf of claimants and they may well get some damages." However, in cases where it's not sensitive personal data that has been hacked, the damages would be fairly low. "We're talking probably in the hundreds of pounds per person,” says Vitale.

For those affected, this might just be the beginning. People who fall for such scams are often added to lists of "vulnerable" people that are circulated on the dark web. "My advice to anyone that sent Bitcoins in response to this is to very carefully monitor your systems, change your Twitter password straight away," says Vitale. "It may well be that you've made yourself more likely to be a target of other hackers."

Could those targeted band together to launch a blue-tick class action lawsuit? Theoretically they could, but it’s unlikely given the high net worth individuals targeted. “It could be that somebody with a bit of an axe to grind against Twitter might well decide to bring an action as a point to make a point,” says Vitale. Donald Trump is notorious for his high-profile rifts with the platform, but it's unclear yet if his account was compromised.

In the US, it’s less likely that such action would be fruitful anyway. There are some data protection laws for healthcare at the federal level, but the country doesn’t have an equivalent to the ICO, and most states don’t have data laws anywhere near as comprehensive as the EU. California is one of the exceptions, but New York recently failed to pass legislation that would grant more data rights. In view of this, unless individuals choose to take action, Twitter could well get away with a tap on the wrist.

Laurie Clarke is a reporter at New Statesman Tech.

Free trial CSS