The Data Protection Commission (DPC) in Ireland has issued its first cross-border GDPR fine to the microblogging and social media network Twitter over a data breach that first came to light in December 2018. Twitter has been fined €450,000 ($544,000) for a failure to report the breach promptly and inadequate documentation of the breach.
The EU’s General Data Protection Regulation (GDPR) requires companies to report breaches to the appropriate data protection authority within 72-hours of the discovery of a breach. Companies are also required to document the breach, including the data that has been exposed and the steps taken to mitigate the breach. The DPC found Twitter had failed on both counts (See GDPR Article 33(1) and 33(5)).
Twitter first learned of the breach on December 26, 2018, when a researcher reported a bug in its platform under its bug bounty program. The investigation confirmed there was a bug in Twitter for Android, which caused protected tweets to lose the protected status if a user changed the email address associated with their account on Twitter for Android. Protected tweets can only be viewed by a Twitter user’s followers, whereas unprotected tweets can be viewed by anyone.
Twitter’s investigation revealed the bug was introduced on November 4, 2014. Twitter fixed the issue on January 11, 2018. Twitter was unable to determine how many users had been affected by the bug in total, as it was only possible to identify affected users between September 4, 2017 and January 11, 2018. During that time, 88,726 EU and EEA users had been affected, although the total number is likely to be far higher.
Twitter submitted a breach notification to the DPC on January 8, 2019, well after the 72-hour reporting deadline. Twitter explained that it was unaware of the severity of the breach, and only learned of the extent of the issue on January 3, 2019, which is when it activated its breach response process. The DPC noted that even if that were the case, Twitter had still missed the reporting deadline.
Damien Kieran, Twitter’s chief privacy officer and global data protection officer, issued a statement saying there had clearly been a failure in its incident response process, which has now been addressed. Kieran said the failure was “an unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72-hour statutory notice period.” Twitter also issued an apology to the individuals affected and said the company takes full responsibility for the mistake and welcomes the DPC decision.
Twitter cooperated with the DPC’s investigation, promptly corrected the issue, and took steps to ensure that similar incident response failures are avoided in the future. Twitter has since ensured all breaches have been reported within the 72-hour time frame.
Twitter can count itself fortunate that the financial penalty was not much larger. The maximum financial penalty for a GDPR violation is €20 million or 4% of global financial turnover for the previous financial year, whichever is greater. The financial penalty imposed on Twitter represents around 0.1% of its global turnover for 2019.
The DPC has faced criticism for the small fine, which is actually higher than the financial penalty the DPC initially proposed. To put the fine into perspective, Google has recently been fined €100 million for dropping advertising cookies on the computers of users of the google.fr search engine without first obtaining clear and informed consent. The DPC has also faced criticism over the time it has taken to issue the financial penalty, especially considering its breach investigation was initiated on January 22, 2019.