Twitter takes 14 days to warn about vulnerability and fined € 450,000 in Ireland

Twitter was fined € 450,000 for failing to notify the Irish Data Protection Commission (DPC) of a security breach within the 72-hour deadline, besides not documenting it properly. Infringements are against the General Data Protection Regulation (GDPR).

The commission said it had been investigating Twitter since January 2019. According to the DPC, Twitter violated GDPR Article 33 (1) and 33 (5), that is: failure to notify the violation in time, and failure to properly document the violation. “DPC imposed a € 450,000 administrative fine on Twitter as an effective, proportionate and dissuasive measure,” says the commission in a press release.

O GDPR is the data policy regulation in Europe that went into effect in May 2018, after the scandals involving Facebook, Cambridge Analytica and the election of former President Donald Trump in the United States. According to the regulation, regulators, such as the DPC of Ireland, can impose fines of up to € 20 million or an amount equivalent to 4% of the company’s annual revenue.

The case

The leak that caused Twitter to be fined was caused by a bug in the social networking app for Android from at least six years ago. The bug allowed private tweets from protected accounts to be exposed.

According to Bleepingcomputer, Twitter said it did not realize the seriousness of the problem until January 3, 2019, but the bug was discovered on December 26, 2018, by the company’s bounty bug program. Even so, the company failed to report the case on time, only warning the DPC on January 8.

On Twitter, the company regrets that this has happened, takes responsibility for the error and guarantees to work to protect the privacy of its users. He also said he collaborated closely with the Irish DPC during the investigation.

Sources: Data Protection Commission (DPC); Bleepingcomputer; Twitter.