Twitter’s security fiasco of July 15, 2020 worsened overnight. On the morning of July 16, 2020, in a story titled “Twitter hack targets Elon Musk, Joe Biden, Apple and hundreds more” Hannah Murphy and Patrick Mcgee wrote
“Twitter said on its support account that it had detected a ‘co-ordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools’.”
This revelation represents a magnitude higher risk level than yesterday’s broader announcement. If hackers exploited online information about “employees with access to internal systems and tools” to get in touch with them, then Twitter’s risk management team needs to answer why important information was exposed “in the wild”. Twitter’s peers (Facebook, SnapChat, Facebook) and other large online IaaS vendors (Amazon AWS, Microsoft Azure, Goggle Cloud) seem to be doing a better job keeping this information private.
Senior management should be asking key technical employees to keep off of social media. LinkedIn is an especially risky site. LinkedIn groups people from the same company into an employee list. Anyone can scan the list. Hackers can use phishing to fool people on these lists into sharing information about other people who play a strategic role. From there it isn’t a big leap to getting names, email addresses, telephone numbers. The next steps look a lot like the Twitter story.
Why should you care?
If you run an early stage tech business you should be asking employees to restrict their usage of social media to prescribed activities, or to no activity whatsoever. Forget about whether the request is cruel or not. If you don’t ask it, your big customers will. Skeptical? Just review any of the personal data handling guidelines for big organizations in the public or private sectors. They all include highly detailed requirements not only for procedures, but for the people permitted to perform the procedures.
The Twitter fiasco not only exposes management to criticism, but also its auditors. Twitter is a public company. For sure someone will be asking why the auditors didn’t cover identity security in their IT audits. On top of the pain Twitter, the brand, will suffer from this security failure, Twitter’s revenue engine will also take a hit, especially since the hacked user accounts were all owned by very prominent people. Ugh.