FTC Bars Twitter "For 20 Years From Misleading Consumers" About Privacy After 2009 Hacks

Today, the FTC settled a lengthy investigation into Twitter’s lax security practices and protection of user accounts after two high-profile hacking incidents in 2009. The first one, which occurred in January, 2009, compromised 35 high-profile accounts, including those of President Barack Obama, Bill O’Reilly, Britney Spears, the Huffington Post, and Facebook. According to the FTC:

One tweet was sent from the account of then-President-elect Barack Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline.

The other attack occurred in April, 2009, and involved a hacker gaining access to a Twitter employee’s email account which stored the employee’s administrative password. The hacker in question was the Frenchman who goes by the handle Hacker Croll. (Later, this was the same hacker who sent us confidential Twitter documents, but that incident was not part of the FTC investigation).

The FTC’s concern in the matter is the ability of hackers to breach Twitter’s password system and gain access to user accounts. According to the FTC:

Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for 10 years.

The FTC provides a list of security measures Twitter failed to have in place, which Twitter says were implemented subsequent to the attacks. It may sound silly to bar Twitter from “misleading consumers” for 20 years, but that is essentially the life of the order and gives the FTC the ability to fine Twitter for future security breaches to the tune of $16,000 per incident. Without this order and the settlement, the FTC does not have what is known as civil penalty authority.

A source at the FTC tells me that the agency is “closely watching social media for information at risk.” Compromised social networks are increasingly becoming a way for fraudsters to reach and trick consumers. Twitter is on notice now, and so are other social networks, that they must do everything they can to protect user’s accounts from security breaches.