Data Protection Commission to fine Twitter €450,000 for bug breach

15 Dec 2020

Twitter headquarters in San Francisco, California. Image: © Tada Images/

The decision follows an investigation into a data breach affecting Android users that was reported to the company in late 2018.

Today (15 December), the Data Protection Commission (DPC) announced its decision to fine Twitter €450,000 under GDPR for a data breach that was discovered in December 2018.

The DPC’s investigation began in January 2019 after Twitter disclosed that some users’ protected tweets had been made public.

In its decision, the DPC said that Twitter failed to comply with GDPR Articles 33(1) and 33(5) as the company did not notify the DPC of the breach on time and didn’t adequately document it.

The commission called the fine an “effective, proportionate and dissuasive measure”. It added that the decision was the first to go through the dispute resolution process since GDPR was introduced. It was also the first draft decision made by the DPC in a Big Tech case on which all EU supervisory authorities were consulted.

GDPR came into effect in May 2018 and gives data regulators the power to fine companies up to 4pc of their global turnover from the previous year or €20 million, whichever is greater, for violating Europe’s data protection rules. The Irish DPC is responsible for a number of tech giants that have European headquarters in Dublin.

Twitter design bug

According to the decision document, the data breach was caused by a bug in Twitter’s design that affected Android users. If an Android user changed the email address linked to their Twitter account, their protected tweets automatically switched to unprotected and became publicly accessible without alerting the user. It was later found that other user actions triggered the same result.

The bug was discovered on 26 December 2018 by an external contractor managing Twitter’s bug bounty programme, which allows security researchers and professionals to file vulnerabilities. It was traced back to a code change implemented on 4 November 2014.

Only users affected between 5 September 2017 and 11 January 2019 could be examined, however, due to a Twitter retention policy on information logs. Twitter said that during this period, more than 88,000 EU and EEA users were affected. However, more users may have been impacted outside of this timeframe.

Although Twitter informed its legal team of the breach on 2 January 2019, a mistake in the internal incident response procedure meant that the company’s global data protection officer wasn’t notified until 7 January. The DPC was then notified the following day.

A ‘potential shake-up’

In response to the DPC fine, Twitter said that it respects the decision, which relates to a failure in its incident response process.

“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur,” it added.

Chris Strand, chief compliance officer at threat-intelligence firm IntSights, said the DPC decision represents the EU’s intent to “seek balance between ensuring the GDPR is properly enforcing the legal obligation on data controllers and to keep the law consistently positioned to be the reigning baseline standard for international data privacy disputes”.

“There has been increased pressure on the local Irish data authority to ensure that the GDPR takes a front seat in deciding on actions to be taken in the wake of the Twitter data breach,” he added.

“This could certainly cause a potential shake-up to international tech giants and set a new precedence on how they are doing business in the future.”

Lisa Ardill was careers editor at Silicon Republic until June 2021