FTC, Twitter Settle Account Hacking, Privacy Breach Case
Modernizing Authentication — What It Takes to Transform Secure Access
Under a settlement agreement, Twitter will be obligated to establish a more rigorous information security policy to prevent user accounts from being hijacked.
The United States Federal Trade Commission finalized its settlement with Twitter over charges that the micro-blogging site did not safeguard user privacy and misled users about its security practices. The commissioners finalized the settlement, originally announced back in June 2010, in a 5-0 vote on March 11, the FTC said.
The settlement addressed some "serious lapses in the company's data security," FTC said.
The agreement bars Twitter for 20 years from making misleading statements about Ã"the extent to which it protects the security, privacy and confidentialityÃ" of private user information. Twitter must establish and maintain a comprehensive information security program which will be independently audited every two years, according the settlement.
Breaches to the agreement will result in fines of up $16,000 per violation. Twitter will also absorb the costs of the biennial audit.
Hackers were able to gain control of Twitter in two separate incidents between January and May of 2009, the FTC said in its original complaint. Hackers accessed 45 accounts in January and 10 in April, according to Twitter.
Hackers figured out the passwords of Twitter staffers in the January incident and used that access to read private messages and send out bogus status messages from over two dozen accounts, including those of President Barack Obama, singer Britney Spears, and former CNN anchor Rick Sanchez. The hackers also gained access to the accountsÃ' e-mail addresses, mobile phone number if it was associated with the account, and the list of accounts blocked by users.