Ireland’s Data Protection Commission on Friday launched a probe into Twitter Inc. over a cybersecurity breach that affected 5.4 million of the company’s users.
At the start of the year, Twitter was notified of a vulnerability in one of its application programming interfaces. The vulnerability enabled hackers to learn the phone numbers and email addresses associated with Twitter accounts. According to the company, the issue emerged as a result of a faulty software update released in June 2021.
Twitter rolled out a patch soon after it was notified of the API vulnerability. However, hackers by then managed to steal information belonging to 5.4 million Twitter users. That information was leaked last month, which is what prompted Ireland’s Data Protection Commission to launch its newly announced probe.
Prior to the launch of the probe, officials requested additional information from Twitter about its compliance with data privacy regulations. After reviewing the information, the Data Protection Commission determined that the company may have infringed the European Union’s GDPR privacy law. The regulator found that Twitter may have also breached the Data Protection Act 2018, the U.K.’s implementation of GDPR.
The probe will be carried out by the Data Protection Commission because Twitter’s EU head office is located in Ireland. The company maintains a presence in Ireland through a subsidiary called Twitter International Unlimited Company that is also known as TIC.
“The DPC considers it appropriate to determine whether TIC has complied with its obligations, as controller, in connection with the processing of personal data of its users or whether any provision(s) of the GDPR and/or the Act have been, and/or are being, infringed by TIC in this respect,” the regulator stated.
Previously, the Data Protection Commission issued a €450,000 fine to Twitter over its response to an earlier cybersecurity vulnerability. The vulnerability made some Android users’ private tweets publicly accessible for several years. Twitter resolved the issue in early 2019.
The EU’s GDPR law requires companies to promptly notify regulators of cybersecurity incidents, as well as provide detailed technical documentation. The Data Protection Commission fined Twitter €450,000 Twitter after determining the company failed to meet those criteria.
Meta Platforms Inc. has also drawn regulatory scrutiny in Ireland. Last month, the Data Protection Commission issued a €265 million fine to the company for not adequately securing Facebook users’ data. In September, Meta received a separate €400 million penalty after officials determined that Instagram had failed to comply with GDPR privacy requirements.