NYS DFS Publishes its Investigative Report of the Twitter Hack of July 2020

The New York State Department of Financial Services issued a press release on Thursday announcing the publication of its investigative report of the July 2020 Twitter hack. The exhaustive report reviews the facts surrounding the hack, provides a visual timeline, and explores the cybersecurity weaknesses at Twitter that made the hack possible, including a lack of leadership, vulnerability to social engineering, and a failure to address the new vulnerabilities caused by the pandemic-driven shift to mass remote working.

A few key report findings we are highlighting: (1) the hackers accessed Twitter’s systems by calling employees and claiming to be from the IT department; (2) the hackers duped four employees into providing log in credentials which enabled them to hijack Twitter accounts of politicians, celebrities, entrepreneurs, and several DFS-regulated crypto currency firms; (3) the hackers engaged in Bitcoin fraud causing at least $118,000 in losses; and (4) the DFS-regulated crypto currency firms – all subject to the DFS Part 500 cybersecurity regulation – responded quickly to block attempted transfers to the Bitcoin addresses used by the hackers.

At the time of the attack Twitter did not have a CISO, nor did it have adequate access controls and identify management, or adequate security monitoring. The Report identifies best practices that address the weaknesses the hack exposed and recommends, among other things, that large social media companies be designated as systemically important institutions and be subjected to prudential regulation to manage their heightened cybersecurity risk.

A copy of the release and report is available at the links below.