Social media platform Twitter had lax cyber security mechanisms in place before an “embarrassing” hack in July, which saw accounts of high-profile users being hijacked.
The New York State Department of Financial Services (DFS) yesterday released a report on the department’s investigation into the 15 July hack into the Twitter accounts of crypto-currency firms and well-known public figures, following governor Andrew Cuomo’s request to investigate the matter.
Among the findings, the DFS says the global social media platform lacked adequate cyber security protections and, at the time of the attack, did not have a chief information security officer (CISO).
The report recommends a new cyber security regulatory framework for giant social media companies.
In July, Twitter was hit by a massive social engineering attack targeting top users such as US presidential candidate Joe Biden, Tesla CEO Elon Musk, Amazon CEO Jeff Bezos, former US president Barack Obama, and reality TV star Kim Kardashian.
The attackers also hijacked the accounts of Microsoft founder Bill Gates, Uber and Apple, among others.
Three individuals, two of whom are teenagers, were later charged for their alleged roles in the Twitter hack.
“Social media platforms have quickly become the leading source of news and information, yet no regulator has adequate oversight of their cyber security,” says DFS superintendent Linda A Lacewell.
“The fact that Twitter was vulnerable to an unsophisticated attack shows that self-regulation is not the answer. As we approach an election in fewer than 30 days, we must commit to greater regulatory oversight of large social media companies.
“The integrity of our elections and markets depends on it. The swift and effective response of DFS-regulated crypto-currency companies illustrates how effective regulation can foster innovation and growth, while also protecting consumers,” says Lacewell.
The DFS explains that the hackers accessed Twitter’s systems with a simple technique, by calling Twitter employees and claiming to be from Twitter’s IT department. After the hackers duped four employees into giving them their log-in credentials, they hijacked the Twitter accounts, it adds.
The hackers tweeted simple “double your Bitcoin” messages, with a link to send payments in Bitcoins. In the end, they stole over $118 000 worth of Bitcoins from consumers, says the DFS.
It notes the department’s regulated crypto-currency companies − Coinbase, Square, Gemini Trust Company and Bitstamp − responded quickly to block attempted transfers to the Bitcoin addresses the fraudsters used.
“Despite being a global social media platform boasting over 330 million average monthly users in 2019, Twitter lacked adequate cyber security protection,” the department notes.
“At the time of the attack, Twitter did not have a chief information security officer, adequate access controls and identity management, and adequate security monitoring – some of the core measures required by the department’s first-in-the-nation cyber security regulation.”
Considering social media’s increasingly critical role as a source of news and information, the DFS notes, the ease of the Twitter hack shows Twitter’s vulnerability to an election-related hacking attempt.
It points out that Twitter and other large social media companies have no dedicated federal or state regulator ensuring their cyber security policies and programmes adequately address the risks of their digital operating models.
“Instead, they are largely self-regulated and have no accountability for significant cyber security lapses as occurred in the Twitter hack,” the department says.
The report recommends that the largest social media companies, whose platforms reach millions of people around the world, should be designated as systemically important institutions with prudent regulation to manage heightened cyber security risk.