Twitter is being probed over personal data protection after a hacker claimed to have details of more than 400 million users.
Identified as “Ryushi”, the hacker is demanding $200 000 or £166 000 to hand over the data and delete it. The details include that of some celebrities.
Ireland’s Data Protection Commission (DPC) says it will look into Twitter’s compliance with data protection law in relation to that security issue.
The watchdog launched an own-volition enquiry pursuant to section 110 of the Data Protection Act of 2018 following multiple media reports showing one or more collated datasets of Twitter user personal data had been made available on the internet.
The DPC is an Irish supervisory authority responsible for upholding fundamental rights of individuals in the EU to have their personal data protected.
Twitter’s European headquarters are based in Dublin, therefore, the DPC is the lead authority supervising its compliance with EU data protection rules.
High profile Twitter users’ data at risk
Although the size of the haul is not confirmed, reports say the data includes phone numbers and email addresses including those of celebrities and politicians.
The Guardian reported US Congresswoman Alexandria Ocasio-Cortez’s data was included in the sample published by the hacker.
“The datasets were reported to map Twitter IDs to email addresses and or telephone numbers of associated data subjects,” said DPC.
“The DPC corresponded with Twitter International Company in relation to a notified personal data breach that TIC Claims to be the source vulnerability used to generate the datasets and raised queries in relation to DGPR compliance,” adds DPC.
Twitter mute over the claim
Twitter has not issued an official statement on enquiries about the personal data leaks.
Krebs however notes the breach probably occurred before Musk took over as Twitter CEO.
Cyber-crime intelligence company Hudson Rock says it was the first to raise the alarm about the personal data sale.
The firm’s chief technology officer Alon Gal told the BBC there were a number of clues that appeared to support the hacker’s claim, although agreeing the amount of data had not been verified.
However, Gal said it seemed the data was not copied from an earlier breach in which details were published from 5.4 million accounts
According to Gal, only 60 emails of the sample 1 000 provided by the hacker in the earlier incident appeared and was confident that this breach “is different and significantly bigger.”
“The hacker aims to sell the database through an escrow service that is offered on a cyber-crime forum. Typically, this is only done for real offerings,” he said.
An escrow service is a third party that agrees to release funds only when certain conditions such as handing over data are met.
Concerns have been raised over personal data protection at a time the world is increasingly becoming digital.
Knowing how damaging the loss of data can be to the platform, the hacker has warned Twitter that its best chance of avoiding a large data-protection fine is to buy the data “exclusively.”
“Ryushi” highlighted they exploited a problem with a system that lets computer programmes connect with Twitter to compile the data.
Although Twitter fixed the problem in the system, it is believed the weakness was used in an earlier breach which affected more than 5 million accounts.
The data included personal information of 533 million users from 106 countries including over 32 million records on users in the US, 11 million in the UK and 6 million users in India exposing their phone numbers, full names, locations, bios, birthdates and in some cases their email addresses.
Its parent company – Meta was fined $276 million over the data breach.