N.Y. Department of Financial Services Releases Report On High-Profile Twitter Hack

On Wednesday the New York State Department of Financial Services (NYSDFS) released its Twitter Investigation Report regarding Twitter’s July 15, cybersecurity incident, which resulted in the theft of more than $118,000 worth of bitcoin; the Department urged regulators to focus on the cybersecurity of social media companies.

According to the report, on July 15, a 17-year old and an accomplice engaged in a widespread hack of various high-profile Twitter users, including Microsoft co-founder Bill Gates, presidential candidate Joe Biden, Kim Kardashian West, and companies such as Apple. The incident caused the hacked accounts to tweet asking their followers to donate cryptocurrency in a “double your bitcoin scam.” The New York State Department of Financial Services noted that “for several hours Twitter seemed unable to stop the hack.” The hackers stole more than $118,000 worth of bitcoin. However, NYSDFS noted that “this incident exposed the vulnerability of a global social media platform with over 330 million total monthly active users and over 186 million daily active users, including over 36 million (20%) in the United States.” The NYSDFS said this illustrates Twitter’s large role in society. However, the Department noted that because “Twitter is a publicly traded, $37 billion technology company, it was surprising how easily the Hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account.” Moreover, NYSDFS claimed that the hackers utilized basic, traditional scam techniques, namely, the hackers placed “phone calls where they pretended to be from Twitter’s Information Technology department.” The Department added that no sophisticated techniques, such as malware or backdoors were used. As a result, the Department noted that the fact that hackers obtained “extraordinary access…with this simple technique underscores Twitter’s cybersecurity vulnerability and the potential for devastating consequences.”

The Department stated that this incident highlights “the need for strong cybersecurity to curb the potential weaponization of major social media companies.” However, NYSDFS averred that public institutions are not meeting the challenges that are posed by social media companies. After the hack, lawmakers wrote to Twitter in regards to the incident and its “apparent failure.” While the NYSDFS noted that “policymakers focus on antitrust and content moderation problems with large social media companies,” but they must address cybersecurity, which “is also critical.” The NYSDFS called for social media companies to be declares systemically important and for the implementation of regulators in regards to cybersecurity as is already done for telecommunications, finance, etc. to protect the public interest.

Specifically, the report gives an overview, reviews the facts and timeline regarding the hack, Twitter’s response, why it occurred, and preventative measures. It also provides background on Twitter and its influence and the NYSDFS role to protect consumers. Specifically, the Department describes how the hack has impacted its “cryptocurrency licensees and their timely efforts to protect their customers from the fraud. It also describes the substantial threat cryptocurrency fraud poses to the industry.” The report also addresses and identifies weaknesses at Twitter, specifically cybersecurity weaknesses. The report addresses best practices to remedy these weaknesses, including cybersecurity measures and steps for cryptocurrency companies. Again, the report concludes with a call to action for regulation and a regulator to focus on social media companies and cybersecurity.