Today, Twitter and the Federal Trade Commission settled charges that the micro-blogging site had engaged in unfair and deceptive trade practices because of “serious lapses in the company’s data security.” The FTC began an investigation into Twitter after hackers obtained administrative control of the service, accessed tweets that consumers had designated private, and sent out phony tweets (from then-Presidential candidate Barack Obama, Fox News, and others).
In its complaint, the FTC alleged that Twitter was vulnerable to these attacks because it failed to take certain reasonable steps to prevent unauthorized administrative control of its system. Those steps included:
- Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks
- Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts
- Suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts
- Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users
- Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days
- Restricting access to administrative controls to employees whose jobs required it
- Imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses
Under the settlement, the FTC will require Twitter to set up a new security program to be assessed by a third party. It will also be prohibited from what the agency described as “misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers.”
According to the FTC, this marks the 30th case brought as a result of lax security procedures, and the first against a social network.