That’s according to a report by New York State Department of Financial Services following an investigation into this summer’s hack of more than 100 high-profile Twitter accounts, as TechCrunch and The Hill report.
The NYSDFS criticized Twitter for allowing itself to be compromised so easily by the “simple” technique of hackers calling Twitter employees and claiming to be from the company’s IT department. By comparison, the agency noted that cryptocurrency companies, which it regulates, “responded quickly to block” the spread of the scam.
“The report recommends that the largest social media companies, whose platforms reach millions of people around the world, should be designated as systemically important institutions with prudent regulation to manage heightened cybersecurity risk," according to a press release. Twitter also comes under fire in the report for not having a CISO when the hack took place. Mike Convertino departed last December, and the company announced in September that it had filled the post by hiring Rinki Sethi.
“Despite being a global social media platform boasting over 330 million average monthly users in 2019, Twitter lacked adequate cybersecurity protection,” the NYSDFS wrote. “At the time of the attack, Twitter did not have a chief information security officer, adequate access controls and identity management, and adequate security monitoring—some of the core measures required by the Department’s first-in-the-nation cybersecurity regulation.”
In a statement to Cyberscoop, a Twitter spokesperson said: “Protecting people’s privacy and security is a top priority for Twitter, and it is not a responsibility we take lightly. As we shared on September 24, 2020, we will continue to prioritize and accelerate our efforts to increase the security of our platform and how our teams work. We have been continuously investing in improvements to our teams and our technology that enable people to use Twitter securely.”
Separately, Twitter sustained a global outage on October 15, as Bloomberg reports. Service was out for about an hour and a half. The company said it was investigating the issue and that it saw no evidence of a breach.
Twitter is also awaiting the results of a European probe into a data breach disclosed in January 2019. As The Wall Street Journal reports, it will probably be next year before the European Union’s privacy regulators publish a final ruling in the matter, which could generate a fine of as much as 2% of global revenue.