Twitter hack: Twitter’s permanent WFH policy requires a review of security features - comment from Netwrix
July 2020 by Ilia Sotnikov, VP at data security company Netwrix
Last night, several prominent figures including Elon Musk, Barack Obama and Bill Gates had their Twitter accounts hacked. Twitter confirmed it was a "co-ordinated social engineering" attack targeting its employees "with access to internal systems and tools".
Ilia Sotnikov, VP at data security company Netwrix has made the following comments:
“This is a reminder for all of us, that visibility into employee accounts that have access to critical data, internal tools and any kind of privileges is essential, especially at a time when most employees are still working remotely – particularly in Twitter’s case, where employees are now permitted to work remotely permanently. Organisations need to continuously audit user behaviour to be able to detect malicious activity on time, and to ensure that employees know how to spot and stop social engineering attacks. Also, it’s really important to pay attention to the least privilege principle. One employee who is able to grant permissions to high profile accounts of celebrities, influencers and corporations is a huge risk.
“Despite Twitter being very quick to notice the hack and remediate it, cyber-attacks that involve compromise of employees’ credentials can be extremely difficult to detect and investigate. If the goal is to steal or modify sensitive data, in many cases organisations remain unaware that their security has been compromised. Such concealed attacks can last for weeks and even months, which dramatically impacts the total cost of data breach.
“One aspect that may be overlooked in the news today is the impact of this attack on privacy of Twitter users. A compromised privileged employee account like the one that could give access to corporate accounts can likely give access to thousands "less impactful" personal accounts. This may turn into fines and private legal action against Twitter.
“I am curious to see if this hack entails any CCPA or GDPR penalties. Clearly, access to user account that contains names, email address or phone numbers might be seen as a violation of privacy legislations. This can turn into a hefty fine for Twitter, especially when the CCPA has just been enforced and the authorities might be looking for exemplary punishment."