Twitter has been in the throes of controversy ever since its acquisition by Elon Musk at the end of October. While the company has wrangled to try and launch features that would entice users to subscribe to its Twitter Blue service, people have been quick to point out that Twitter has been quite reckless in its implementation of features. Now the Irish Data Protection Commission (DPC), which is the presiding authority over personal data storage and processing compliance in the European Union, has announced its investigation into Twitter following alleged breaches of the General Data Protection Regulation, or GDPR.
The reason for the investigation stems from data collected in December 2021 using a Twitter API vulnerability that exposed the phone numbers and email addresses of individual Twitter users. The company fixed the vulnerability in January 2022, though the dataset of 5.4 million affected users was shared for free on a forum online in November this year. Another dataset appeared later on, allegedly containing 17 million affected users. Bleeping Computer contacted some of the users in the dataset and confirmed the information was real but could not independently confirm the overall size of the dataset or its total legitimacy.
The DPC, having considered the information provided by TIC [Twitter International Unlimited Company] regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Act may have been, and/or are being, infringed in relation to Twitter Users’ personal data.
While these alleged breaches of the GDPR occurred under the previous ownership, Twitter as a legal entity is still responsible for upholding the laws and will have to answer to the DPC in an investigation that could see the company saddled with a multi-million Euro fine, as happened to Meta in the past, should it be found to have breached GDPR. The dataset that the DPC is currently investigating only pertains to the 5.4 million affected users but could be expanded in the future.
Twitter no longer has a communications team, and we’ve reached out to Musk for comment.
Source: Irish Data Protection Commission