Twitter data scandal
Law firm for IT and data protection law in Cologne, Kerpen and Witten
IT and data protection law | fast, reliable and specialized
Twitter data scandal / 5.4 million user data published
Law firm for IT and data protection law in Cologne, Kerpen and Witten
Lawyer for - Labor Law | Criminal Law | IT Law | Data Protection
Since about the middle of the year 2022, it has become public. Approximately 5.4 million Twitter user data of private individuals and companies, including phone numbers, e-mail addresses and other sensitive data relating to individuals, were captured by a hacker and even shared publicly. The hacker gained access to this sensitive and personal data of the users of the social network Twitter via an insecure interface, API, which was apparently outdated and mistakenly not updated by the platform operator. Although the company Twitter announced at the beginning of the year, in January 2022, that this interface was "fixed", it also admitted that it had been exploited before.
Originally, the hacker tried to sell the captured Twitter user data in a forum for $30,000.00 in July of this year, but then shared it publicly on the web. In detail, the problem of this Twitter data scandal was probably that telephone numbers and e-mail addresses could be randomly tried out via the aforementioned Twitter API in order to subsequently find out the corresponding, matching Twitter ID. In this way, the hacker responsible was also able to assign this Twitter user data in detail to a Twitter ID, i.e. the Twitter account, last year.
It is also known that other Twitter user data was exchanged or shared in closed networks, but not to what extent. Accordingly, it can be assumed that many more users of the social network Twitter are affected by this data scandal and must therefore fear that their sensitive, personal data is now in the possession of shady networks with criminal ambitions. Property theft, data theft, identity theft or even looting of bank accounts threaten the affected persons in the worst case, so it is advisable to obtain certainty by hiring a lawyer whether the personal data has been tapped and if so, to take action against it.
What Twitter user data / records were captured?
Captured Twitter user data
Specifically, the following Twitter user data is involved:
- Private email addresses
- Private phone numbers
- Twitter IDs
- The full names of Twitter users
- Account names of Twitter users
- Verification status of users
- Residence of the users
- The URL associated with the profile
- Number of friends of Twitter users
- Favorites lists of the users
- URLs to the profile pictures of the users
What is scraping, anyway?
Definition of scraping
Scraping, often also referred to as screen scraping or web scraping, is a function that uses a script to read and store information from a website or online services, e.g. social media platforms. Google also uses such methods with the help of bots, for example, which "crawl" websites in order to index them afterwards. For the most part, this practice is of course also in the interests of the operators of websites and platforms, as more sales or a higher reach can be achieved through such indexing. However, scraping can also cause great damage if it is misused.
In the case of the highly publicized Facebook scraping scandal, the attackers took advantage of a feature of the platform that allowed users to upload their phone book so that friends and acquaintances could be created or identified directly in the profile. In this case, the attackers used this contact import function to retrieve sets of user profiles and to use the sensitive data they had obtained to personal data to be extracted via the public profile.
Is scraping itself illegal?
Scraping publicly accessible data is not illegal by definition, as long as no technical protection devices have to be overcome. However, what is subsequently done with the data obtained is also not insignificant. If, for example, images, articles or other data sets are tapped and then published without permission, this is a clear violation of copyright law. It should also be mentioned that the use of these data records for phishing campaigns is also a clear violation of the law.
In this context, however, it then becomes precarious for the platform or website operator, since according to the GDPR unambiguous and clear specifications regarding the collection and storage of personal data has to follow. The operator must have a legitimate reason or require the express consent of the user to collect and store their sensitive personal data. In addition, this may only be done to the extent necessary to fulfill the intended function. is necessary and no longer. In addition, many social network operators exclude scraping from the outset in their terms and conditions.
More dramatic data leaks and data scandals at Twitter in the past
Other incidents in the past
Allegedly, there was a far more extensive data leak regarding stolen Twitter user data in the past. This one even involves more than 17 million user accounts and the associated sensitive personal data that has come into circulation in hacker circles.
Back in 2016, it became known via Twitter that at least 32 million Twitter accounts and associated passwords had been stolen by a hacker who was trying to sell this access data on the darknet at the time. The complete stolen data sets at that time included emails, usernames, and associated passwords. At the time, Twitter had no choice but to block all affected user accounts until they reset their passwords and created new ones after separately notifying the operator of the incident. Here, too, it remained questionable who was responsible for this case or this security gap on the part of the platform operator.
Why does such a Twitter data scandal pose a risk to those affected?
Risk for potentially injured parties
The danger for the person whose personal data was captured in such a scenario is that unlawfully captured data records can be distributed to other third parties or shared with them. These third parties could use a user's personal data, such as telephone numbers and e-mail addresses, for phishing attacks or even, in the worst case scenario, for identity theft on the Internet.
What is phishing?
Definition of phishing
Phishing is a term derived from the English term "fishing", meaning angling, which describes the attempt of an attacker by sending spam emails, fictitious websites or direct messages to the victim's cell phone in order to obtain their personal data. This method aims to commit property theft, data theft, identity theft and, as the worst consequence, even looting of the affected person's account with the help of the obtained / captured data of the victim. Many attackers also use the victim's data, for example, to gain control of PayPal, eBay or Amazon and thus make purchases at the victim's expense.
Phishing is usually kept very general on the part of the attackers, which you can easily recognize from the wording within the "phishing e-mails". However, there is also a more sophisticated form of phishing, known as "spear phishing". In this method, the messages sent to the victim are customized based on data already read about him or her in order to create the impression of a real message.
It is therefore always advisable to be skeptical of any form of message that comes your way asking for personal information.
What are Twitter's obligations and does this constitute a breach of the GDPR?
Legal obligations of Twitter according to Art. 5. DSGVO & Art. 25. DSGVO
Quite clearly, yes! Because according to current case law and the applicable General Data Protection Regulation, DSGVO, the operator of the social network, i.e. in this case Twitter, is responsible for taking and applying appropriate security precautions to prevent sensitive, personal data of Twitter users from being read out and stored in the manner already described, by scraping. According to the GDPR, Article 25(1) and (2), the responsible operator, Twitter, is under obligation to take measures of a technical and organizational nature to ensure that personal data are not not be made available to an indefinite number of natural persons without the intervention of the person.
Furthermore, this misconduct of the social network Twitter constitutes a violation of the Article 5. paragraph 1e, as well as paragraph 1f, of the GDPR constitute. As these "Principles of Processing of Personal Data" state that personal data may be processed only if it can be guaranteed that they are identifiable only for the purposes and period of processing and not continuously, this is done to protect the rights and freedoms of data subjects and may be broken only for purposes of public interest, archival purposes, scientific and historical research purposes, as well as statistical purposes.
Article 5. paragraph 1f of the GDPR states that the processor must ensure that stored sensitive personal data are filed and stored in such a way that protection against unauthorized or unlawful processing, accidental loss, accidental destruction or accidental damage to the data subject can be guaranteed.
What rights do I have as a data subject? Compensation for damages?
Assertion of the claims of the injured party
As a potentially affected person of this Twitter data scandal, everyone has the possibility according to Art. 15 GDPR to assert a right of access against Twitters. A data subject may therefore, after Art. 15 GDPR demand information from Twitter as to whether this person, and thus also his or her stored sensitive data, is affected by the data leak. If no information or only incomplete information is subsequently provided by Twitter, the data subject shall have a claim for damages under Art. 82 GDPRwhich the latter may assert against Twitter.
The fact is that in many of these similar cases, such as the Facebook data scandal or the WhatsApp data scandal, German courts have already granted the plaintiffs high claims for damages based on the data obtained from the Art. 82 GDPR resulting claim for damages. One of the reasons for this is that such claims resulting from GDPR violations resulting amounts of damages is intended to have a deterrent effect on platform and website operators so that the applicable General Data Protection Regulation, GDPR, continues to be observed and complied with, especially by them.
However, with regard to the assertion of the claim for damages as a data subject of the Twitter data scandal, it is essential to seek legal support for the enforcement of your claims, in the form of a lawyer with expertise in data protection law. Because in such a legal dispute with a large corporation like Twitter, it would only be negligent and not conducive to the goal to try this on your own if you want to be successful.
Extract from Art. 82 GDPR
What requirements must be met to claim damages under Art. 82 GDPR?
Requirements for the assertion of the claim for damages
First of all, after receiving detailed information from the controller, in this case Twitter, this must be examined intensively for a possible breach of duty against the "Principles for the Processing of Personal Data", Art. 5 (1) DSGVO. It is relevant whether it is evident that the company responsible for the processing has fulfilled the following criteria. In summary, the information provided is checked for lawfulness, fair processing, transparency, purpose limitation, compliance with data minimization and storage limitation, as well as accuracy, integrity and confidentiality. If this audit by the lawyer can establish that the data of the data subject was not processed in compliance with the GDPR, it looks extremely bad for the company.
It should also be mentioned here that if the company Twitter does not comply with the request for information in detail or within a period of 4 weeks, this also leads to a violation of the GDPR and thus justifies a claim for damages of the information seeker by law.
In addition, the damage must subsequently be quantified if it is established that a claim for damages exists. In the case of material damage, this is quite simple, as the other party is required to pay the full amount of the damages. In the case of non-material damage, however, this is somewhat more complicated, because in most scenarios this is set at a fixed rate of EUR 5000.00, unless there is an assumption that would justify a higher amount.
However, it should also be mentioned that in the past there have already been compensation payments of EUR 6,500.00 - EUR 12,500.00 due to non-encrypted e-mail correspondence between companies and consumers, as well as unauthorized sending of newsletters to persons who had not consented to this receipt / inclusion in the distribution list.
Therefore, it can be assumed that due to the proof of this data breach and the admission of insufficient security measures of the company Twitter spread in the media, it is quite possible to claim much higher amounts beyond EUR 5,000.00.
How can we as a law firm for data protection law help a data subject?
Assertion of the claims of the injured party
Our task is to help the data subjects to exercise their rights. First, in accordance with Article 15 of the GDPR, we demand that Twitter provide us with information about all of our client's personal data that has been processed, as well as proof that it has not been accessed or stored by an unauthorized person.
If this information is not provided, constitutes a breach of duty pursuant to Art. 5 (1) DGSVO or is incomplete even in part, we will formulate a claim for damages as high and realistic as possible in the fastest possible way with our client pursuant to Art. 82 DSGVO. Subsequently, we will first attempt to reach an out-of-court settlement with the other party, the company Twitter, and if this measure fails, we will then file a lawsuit against Twitter with the competent court.
Examples of similar cases on WhatsApp and Facebook
Examples of similar cases on WhatsApp & Facebook
An example of cases similar to Twitter is that of Facebook, a company of the Meta Group, where millions of account data of users of the social media platform also appeared in a hacker forum due to a data leak in the spring of 2021. This incident caused a furor and at the same time also a veritable wave of lawsuits from the people affected.
On September 14, 2022, the Zwickau Regional Court made a landmark decision with regard to such incidents, awarding the plaintiff, an injured party, whose data in this case was demonstrably siphoned off and extracted, and ordering Facebook to pay EUR 1,000.00 in damages in these proceedings. The reasoning behind this decision was that the user suffered immaterial damage within the meaning of the European General Data Protection Regulation (AZ: 7 O 334/22), as the company had only inadequately protected this sensitive data from hacker attacks. A clear example and proof that consumers can also defend themselves against such abuses on the part of large corporations.
What role does legal expenses insurance play in this case?
The legal protection insurance & coverage
Basically it is to be said that if the person concerned would like to assert your claim for damages by a lawyer, concerning the cost risk it is better served if it has concluded a legal protection insurance. If not, the person concerned must bear the costs of hiring the lawyer to examine the claims for damages and subsequent extrajudicial and judicial enforcement of these themselves.
It should also be mentioned here that, in the best case, the client makes a coverage request to his legal protection insurance company by presenting the facts of the case and asking for the costs to be covered for the commissioning of a lawyer even before the first contact with the lawyer. In the best case even already a cover note of the legal protection insurance for the assumption of the lawyer's costs. This accelerates the process of timely processing of the mandate for the lawyer enormously, since he can devote himself exclusively and focused on the legal facts.