In her keynote session on October 14, 2020, the first day of the fall 2020 conference of New York University School of Law’s Program on Corporate Compliance and Enforcement, titled, Confronting Cybersecurity and Data Privacy Challenges in Times of Unprecedented Change, Superintendent Linda Lacewell of the New York State Department of Financial Services (DFS) announced the simultaneous release of DFS’s report on its investigation into the July 15, 2020 hack into the Twitter accounts of cryptocurrency firms and public figures.
By way of background, the hackers accessed Twitter’s systems in July through the proverbial “front door”—they simply called Twitter employees and gained their trust by claiming to work in Twitter’s own information technology department. After persuading four Twitter employees to give them their log-in credentials, the hackers hijacked the Twitter accounts of politicians, celebrities, and entrepreneurs, including Barack Obama, Kim Kardashian West, Jeff Bezos, Elon Musk, and several cryptocurrency companies regulated by DFS—accounts with millions of followers. The hackers then tweeted “double your bitcoin” messages, with a link to send payments in bitcoins, and ultimately stole over $118,000 worth of bitcoins from consumers. As DFS reported, Coinbase, Square, Gemini Trust Company, and Bitstamp—all cryptocurrency companies under DFS’s regulation—responded quickly to block attempted transfers to the Bitcoin addresses used by the perpetrators.
DFS’s Investigative Findings Relating to Twitter
Noting in its press release about the report that 71 percent of Americans on Twitter use the platform as a source for news, and 42 percent discuss politics on Twitter, DFS stated that one key purpose of yesterday’s report was “to alert consumers and voters as they prepare to exercise their basic rights in American democracy, in one of the most consequential elections in generations.” Among other things, DFS found that “the ease of the Twitter hack shows Twitter’s vulnerability to an election-related hacking attempt.”
As detailed in the report, DFS’s investigation revealed that, at the time of the July 15, 2020 hack, Twitter lacked adequate cybersecurity protections required by DFS’s cybersecurity regulation, Part 500—including adequate access controls and identity management, and adequate security monitoring—and did not have a chief information security officer (CISO). Although Twitter did have multifactor authentication (MFA) in place, the hackers managed to subvert it; they duped Twitter employees into entering their log-in information into a phishing website, which the hackers then used to log in to Twitter, generating MFA authentication requests to which some of the Twitter employees responded. This aspect of the hackers’ scheme, and the ease with which they evaded Twitter’s security measures, demonstrate that, in addition to such measures, regular training of employees in identifying and preventing phishing and other intrusion attempts is critical.
DFS’s Recommendation for a New Regulatory Regime for Large Social Media Companies
DFS also recommended in its report a new cybersecurity regulatory framework for large social media companies, in light of the apparent inadequacy of their self-regulation, to help prevent future incidents comparable to the Twitter hack.
DFS recommended the creation of an analogue to the process established by Congress in the wake of the 2007-08 financial crisis, by which the Financial Stability Oversight Council (FSOC) designates institutions “Systemically Important Financial Institutions” (SIFIs). The proposed new process, conducted by a new oversight council comparable to FSOC, would designate certain social media companies as “systemically important social media companies” after evaluating “the reach and impact” of the companies, “as well as the society-wide consequences of a social media platform’s misuse.” Once so designated, a social media company would be “subject to enhanced regulation, such as through the provision of ‘stress tests’ to evaluate [its] susceptibility to key threats, including cyberattacks and election interference.”
DFS explained that its proposal’s success “will depend on the establishment of an expert agency to oversee designated social media companies,” comparable to the Federal Reserve Board (which oversees SIFIs), but with “deep expertise in areas such as technology, cybersecurity, and disinformation.” DFS stated that such a new, expert regulator could be a completely new agency or reside within an established agency or at an existing regulator.
Alicyn Cooley is an Adjunct Professor of Law and the Executive Director of the Program on Corporate Compliance and Enforcement at New York University School of Law, and a former federal prosecutor in the U.S. Attorney’s Office for the Eastern District of New York, where she served as Deputy Chief of the Business and Securities Fraud Section.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.