With all of the mess that surrounds Facebook and data security etc., it seems at times that other web properties are doing it well. That’s a dangerous assumption. Yesterday Twitter was thrown into the data security spotlight when it took some medicine from the Federal Trade Commission regarding data / security breaches in the past.
Twitter has agreed to settle allegations by federal regulators that it put the privacy of its users at risk by failing to protect them from data security lapses last year that let hackers access their accounts.
The Federal Trade Commission said Thursday that the settlement bars Twitter from misleading consumers about its security and privacy practices and requires the start-up to establish a comprehensive information security program.
No monetary damages were assessed.
By now, most people agree that there is no such thing as real and complete Internet security. While that is becoming more and more apparent every day it doesn’t give companies the green light to operate as if it’s not a responsibility that they have to take seriously.
The events that triggered this attention from the FTC were from January and April of 2009.
The FTC complaint said the breaches allowed hackers to gain administrative control over the online service, which lets users send brief messages called tweets to each other. According to the FTC, hackers were able to view e-mail addresses and other private user information, gain access to user messages, reset user passwords and send phony tweets from user accounts.
Hackers do what hackers do. That’s a fact of Internet life. It’s when the following word, in this case the “d” word, is used in relation to your company’s efforts that it’s time to stand up and do something.
“When a company promises consumers that their personal information is secure, it must live up to that promise,” David Vladeck, head of the FTC’s Bureau of Consumer Protection, said in a statement.
Within hours of the January breach, we closed the security hole and notified affected account holders. We posted a blog post about it on the same day. In the April incident, within less than 18 minutes of the hack we removed administrative access to the hacker and we quickly notified affected users. We also posted this blog item about the incident within a few days of first learning about it.
Why are we bringing up these incidents from 18 and 14 months ago that we already told people about? Because the United States Federal Trade Commission (FTC) launched an inquiry into our security practices related to these attacks and today announced that we’ve reached an agreement that resolves their concerns. Even before the agreement, we’d implemented many of the FTC’s suggestions and the agreement formalizes our commitment to those security practices.
In this day and age no one likes to be associated with an FTC “look see” and eventual condemnation of privacy policies. While there has been little said to truly draw Twitter into the fray like Facebook has (of course Facebook doesn’t seem to act like morons about privacy like Facebook either) it still is a reminder that the Internet is a fun but potentially dark place.
Tweet at your own risk.