On October 14, 2020 NYDFS issued a report of its investigation of the July 2020 Twitter hack. According to agency findings:
– Hackers accessed Twitter’s systems by calling Twitter employees and claiming to be from Twitter’s IT department; hijacked Twitter accounts of politicians, celebrities, and entrepreneurs with hundreds of millions of followers; and then engaged in a bitcoin fraud scheme causing at least $118,000 in losses.
– Cryptocurrency firms regulated by NYDFS — all of which are subject to the Department’s comprehensive cybersecurity regulation — responded quickly to block attempted transfers to the Bitcoin addresses used by the fraudsters, thereby mitigating fraud losses.
– Although it has 330 million average users per month, at the time of the attack Twitter did not have a chief information security officer, adequate access controls and identity management, or adequate security monitoring.
The report recommends that the largest social media companies should be designated as “systemically important” institutions with prudent regulation to manage heightened cybersecurity risk. Expect this to have impact. DFS continues in a leadership post in cybersecurity enforcement.
The NYDFS report may be found here: https://www.dfs.ny.gov/Twitter_Report