Twitter is facing a $250M fine from the FTC after admitting that the social media giant was misusing customer data and leveraging security details intended for security purposes for targeted advertising on the platform.
Twitter has said the details were ‘inadvertently’ used for advertising rather than the security steps they were claiming while asking customers to hand over phone numbers and email addresses for two-factor authentication.
It was confirmed by a statement to the SEC regarding the Federal Communications Commission who filed a complaint against Twitter for improper use of customer data that was intended for security purposes, and was used for marketing instead.
“This [security] data may have been inadvertently been used for advertising purposes.” – Twitter
The FTC’s complaint alleges breaches of a consent order issued by the FTC regarding how the platform was using customer information. The FTC says that by collecting phone numbers and email addresses originally intended for security purposes, but were also being used for advertising.
The FTC alleges that this is a grave misuse of customer data, with the FCC asking Twitter to be transparent about how phone numbers collected for two-factor authentication (2FA) might end up being used for targeted advertising.
Twitter has issued a statement outlining that “we recently discovered that when you provided an email address or phone number for safety or security purposes… this data may have been inadvertently been used for advertising purposes.”
“The company estimates that the range of probable loss in this matter is $150 million to $250 million and has recorded an accrual of $150 million,” Twitter told investors in the statement to the SEC. “The accrual is included in accrued and other current liabilities in the consolidated balance sheet and in general and administrative expenses in the consolidated statements of operations.”
Twitter said that “the matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome,” adding that “we’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.”
The FTC’s large-scale fine is the result of Twitter reportedly being in breach of a 2011 agreement with the FCC, stating that the social media company would not mislead its customers about how their information would be used once handed over.
For more information on ISO 27001 – Information Security Management Systems – or for your free ISO 27001 Gap Analysis Checklist, please click here.
Twitter released a statement in October of 2019 explaining that it had “recently discovered” email addresses and phone numbers used for “safety or security purposes” were “inadvertently” being used for its Tailored Audiences and Partner Audiences advertising feature.
A spokesperson for the FTC has confirmed the agency has launched an “open investigation of Twitter.”
“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware… no personal data was ever shared externally with our partners or anything other third-parties,” Twitter added.
echnologist and former Uber developer, Can Duruk tweeted at the time that “data is a liability, Twitter edition… phone numbers stored for 2FA end up in advertising hellhole. The more you accrue, the more someone inside your org will find a way to abuse it.”
A report from Threat Post also quotes Matthew Green, associate professor at Johns Hopkins University who says that “in all seriousness: whose idea was it to use a valuable advertising identifier as an input to a security system…this is like using raw meat to secure your tent against bears.”