Ireland’s Data Protection Commission (DPC), which acts as the EU’s data protection authority, has announced an investigation into Twitter in response to reports that packages of information from up to 5.4 million users around the world have been made available online. The body believes that “one or more provisions” of the General Data Protection Regulation (GDPR) have been breached, which could result in a penalty of up to 4% of the company’s annual revenue.
The Irish data protection authority considers that the platform may have breached several articles of the General Data Protection Regulation.
The leak of this information took place in 2021, months before it became known that Elon Musk intended to buy the platform. And it came about thanks to the exploitation of a vulnerability in the API that was fixed in June this year, after it had been published in January by the ethical hacker collective hackerone. But in July, several media reported that data obtained in this operation was for sale in various forums on illegal or controversial practices.
Specifically, these packages included platform identifiers, locations, verification statuses, phone numbers and email addresses. According to Twitter, no passwords were tapped in the process. One of the most striking aspects of what happened is that the data of users who had them in private was also exposed.
This investigation increases the pressure from European authorities on Twitter, whose owner has already been formally warned by Internal Market Commissioner Thierry Breton about the need to comply with the new rules that apply to it. The platform has already been fined €450,000 by the DPC in 2020 for failing to notify another data breach within the 72-hour deadline set by the GDPR.
Twitter is not the only social network to be in the Irish regulator’s sights lately, as this year Meta was fined €17 million in March and another €265 million in November. In the second case, for failing to protect the data of around 533 million users against an extraction through a technique known as scraping that happened a few years ago.