The recent Twitter hack affecting figures like Jeff Bezos, Elon Musk and Presidential aspirant Joe Biden has left many questioning the company’s ability to protect data. According to Twitter, the hackers were able to access the accounts of over 130 people including their direct messages. One of the breached inboxes belongs to an undisclosed elected official in the Netherlands. In addition, eight unverified accounts had all of their data downloaded including their direct private messages.
Before the tweets were taken down, the hackers were able to generate over $121,000 through the Bitcoin address in the tweets.
It is no surprise that the breach is raising concerns about Twitter’s ability to prevent and respond to a data breach. The potential impact of another hack targeting public figures on the upcoming US elections is also in the question. The FBI is reportedly launching an inquiry into Twitter following the data breach.
Before discussing the lessons the breach poses for organisations, let’s review how the breach happened.
Social engineering is at the core of this data breach
According to a Twitter spokesperson, the attack was caused through,
A coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
Social engineering is a broad term to describe the process of psychologically manipulating people into performing actions or sharing personal information such as log in credentials or bank account details.
For example, the smishing scam directed towards HSBC customers used social engineering in the form of a text message. The text was seemingly alerting people to a fraudulent payment attempt on their banking app but in reality, victims were directed to a fake landing page where they would input their login information.
There have been several social engineering-related breaches this year, with hackers exploiting the coronavirus pandemic. But social engineering attacks are incredibly dangerous because they only require a few victims to cause damage.
In Twitter’s case, the scam only required a few employees to fall victim. The hackers were then able to access and utilise Twitter’s internal tool to take control of other people’s account and post their crypto-currency message. As social engineering attacks become increasingly sophisticated, it’s important for you to take measures to stay safe.
3 cybersecurity lessons from the incident
- The first step to securing information is to make sure that access to sensitive data is on a need to know basis depending on roles and responsibilities. Review internal systems and user access rights.
- Train and educate your staff on social engineering. It’s inevitable that some people will have access to confidential information and sensitive controls. This is all the more reason to invest in training your staff on various forms of social engineering such as phishing, smishing and email hacks. Research shows that employee error is one of the biggest reasons for a data breach so this should be a top priority.
- Data protection isn’t a one – time compliance exercise. Opt for a continuous compliance approach where you monitor and review risks on an on-going basis. There are always different risks on the horizon and this approach is more likely to keep your data safe.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.