Investigation into Twitter hack targeting crypto firms results in call for new cybersecurity rules
The New York State Department of Financial Services (DFS) today published a report on the Department’s investigation into the July 15, 2020 hack into the Twitter accounts of cryptocurrency firms and well-known public figures. The report recommends a new cybersecurity regulatory framework for giant social media companies.
The hackers accessed Twitter’s systems by calling Twitter employees and claiming to be from Twitter’s IT department. After the hackers duped four employees into giving them their log-in credentials, they hijacked the Twitter accounts of politicians, celebrities, and entrepreneurs, such as Barack Obama, Kim Kardashian West, Jeff Bezos, Elon Musk, and several cryptocurrency companies regulated by the Department.
The hackers tweeted “double your bitcoin” messages, with a link to send payments in bitcoins. In the end, they stole about $118,000 worth of bitcoins from consumers. The Department notes that certain cryptocurrency companies – Coinbase, Square, Gemini Trust Company, and Bitstamp, responded quickly to block attempted transfers to the Bitcoin addresses the fraudsters used.
Twitter, however, lacked adequate cybersecurity protection. At the time of the attack, Twitter did not have a chief information security officer, adequate access controls and identity management, and adequate security monitoring.
The report notes that Twitter and other large social media companies have no dedicated federal or state regulator ensuring that their cybersecurity policies and programs adequately address the risks of their digital operating models. Instead, they are largely self-regulated and have no accountability for significant cybersecurity lapses.
The report recommends that the largest social media companies should be designated as systemically important institutions with prudent regulation to manage heightened cybersecurity risk.
According to the Department, these recommendations are critical to ensuring that the cybersecurity of global social media companies has oversight as they grow more systemically significant, and that they establish strong cybersecurity measures to secure their users’ accounts and safeguard business and political systems from outside influences.