The FTC complaint stems from two hacking incidents in 2009 in which Twitter accounts were successfully compromised, including a hack of President Obama’s account and that of an administrative account for a Twitter employee.
The complaint charged that Twitter allowed “serious lapses” in its information security procedures, contrary to the company’s posted privacy policy that said the company “employ[s] administrative, physical, and electronic measures designed to protect information from unauthorized access”.
The means used to compromise the accounts were fairly low-tech according to the FTC, including a January 2009 hack that used an automated password-guessing tool that allowed the hacker to gain administrative access to Twitter, and thereby reset a number of login details.
In what the FTC called the first such case against a social networking company, the regulatory body’s commission unanimously agreed to a settlement that bars Twitter for making such a misleading privacy statement for 20 years and required the company to establish a information security program that will be independently audited every other year for 10 years.
The FTC said that Twitter failed to employ “reasonable steps” to prohibit unauthorized access to its administrative systems.
“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, Director of the FTC’s Bureau of Consumer Protection, in a press release statement. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations.”
“Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure”, he added.
For its part, Twitter responded with a blog posting that claimed it had already implemented many of the security practices recommended by the FTC. Twitter also maintained that these incidents, which took place more than a year ago, were from a time when the company was being run by less than 50 employees and that the security breach affected only a small amount of accounts.