Twitter suffered from cybersecurity shortfalls that enabled a ‘simple’ hack in the summer, which compromised the accounts of high profile figures, an official US report has concluded.
The report, from New York’s Department of Financial Services (DFS), also concluded that large social media companies be “designated as systemically important institutions with prudent (federal) regulation to manage heightened cybersecurity risk.”
New York’s Department of Financial Services had produced the report after New York Governor Andrew Cuomo ordered a probe following the 15 July hack of celebrity Twitter accounts.
In August 17-year-old Graham Clark, pleaded not guilty to charges that he organised that Twitter hack in mid July.
That hack resulted in the Twitter accounts of very public figures and corporations including Elon Musk, Jeff Bezos and Bill Gates, tweeting a bitcoin scam that offered to double people’s bitcoin payment.
The DFS report found that Twitter lacked adequate cybersecurity protections and, at the time of the attack, did not have a chief information security officer.
It said that the hackers had accessed Twitter’s systems with a simple technique: by calling Twitter employees and claiming to be from Twitter’s IT department.
After the hackers duped four employees into giving them their log-in credentials, they hijacked the Twitter accounts of politicians, celebrities, and entrepreneurs, including Barack Obama, Kim Kardashian West, Jeff Bezos, Elon Musk, and several cryptocurrency companies.
Following the Twitter hack, the social networking firm confirmed that the hackers had targeted a small number of its staff through a phone “spear phishing” attack.
Twitter said it has taken “significant steps” to limit access to account management tools while the company’s investigation continued.
But the DFS report stated that despite being a global social media platform with over 330 million average monthly users in 2019, Twitter lacked adequate cybersecurity protection.
“At the time of the attack, Twitter did not have a chief information security officer, adequate access controls and identity management, and adequate security monitoring – some of the core measures required by the Department’s first-in-the-nation cybersecurity regulation,” the report stated.
“Considering social media’s increasingly critical role as a source of news and information, the ease of the Twitter hack shows Twitter’s vulnerability to an election-related hacking attempt,” it added.
“Twitter and other large social media companies have no dedicated federal or state regulator ensuring that their cybersecurity policies and programs adequately address the risks of their digital operating models,” it noted.
And the DFS report then recommended that there should be federal oversight of social media firms, given their size and importance.
“Instead, they are largely self-regulated and have no accountability for significant cybersecurity lapses as occurred in the Twitter hack,” it stated. “The report recommends that the largest social media companies, whose platforms reach millions of people around the world, should be designated as systemically important institutions with prudent regulation to manage heightened cybersecurity risk.”
“Social media platforms have quickly become the leading source of news and information, yet no regulator has adequate oversight of their cybersecurity,” explained superintendent of Financial Services Linda A. Lacewell.
“The fact that Twitter was vulnerable to an unsophisticated attack shows that self-regulation is not the answer,” said Lacewell. “As we approach an election in fewer than 30 days, we must commit to greater regulatory oversight of large social media companies.”
“The integrity of our elections and markets depends on it. The swift and effective response of DFS-regulated cryptocurrency companies illustrates how effective regulation can foster innovation and growth, while also protecting consumers,” said Lacewell.
Besides the US arrest and charges against Graham Clark, a man in the UK has also been arrested as part of the criminal investigation.
Mason Sheppard, 19, in Bognor Regis was named at the UK citizen arrested, as was American Nima Fazeli, 22, of Orlando.