Twitter to be investigated over data-protection breach affecting over '400 million' users

Elon Musk's Twitter is set to be investigated by Ireland's Data Protection Commission (DPC) over a hack claim involving the private details of more than 400 million accounts, as per a report from BBC. The hacker, known as "Ryushi," is demanding $200,000 to hand over the data, which reportedly includes that of some celebrities, and delete it. The DPC has said it will "examine Twitter's compliance with data-protection law in relation to that security issue." The data is said to include phone numbers and emails, but the scale of the hack has not been confirmed. Only a small "sample" has so far been made public.

The Guardian reported that data belonging to US Congresswoman Alexandria Ocasio-Cortez was included in the sample of data published by the hacker. The data of broadcaster Piers Morgan, who recently had his Twitter account hacked, is also reported to be included. Twitter has not commented on the claim.

"Ryushi" plans to sell the data

Cyber-crime intelligence company Hudson Rock raised the alarm about the data sale. While acknowledging the amount of data taken had not been verified, the company's Chief Technology Officer, Alon Gal, told the BBC that a number of clues appeared to support the hacker's claim. The data did not appear to have been copied from an earlier hack in which details were published from 5.4 million Twitter accounts, according to Gal.

He also noted that "Ryushi" plans to sell the database through an escrow service offered on a cyber-crime forum, which is typically only done for genuine offerings. In a statement, the DPC acknowledged its ongoing investigation into an earlier Twitter hack but said: "Reports have claimed that some additional datasets have now been offered for sale on the dark web. The DPC has engaged with Twitter in this inquiry and will examine Twitter's compliance with data-protection law in relation to that security issue." As Twitter's European headquarters are based in Dublin, the DPC is the lead authority responsible for supervising the platform's compliance with EU data-protection rules.

"Ryushi" claims to have exploited a problem with a system that allows computer programs to connect with Twitter in order to compile the data. Twitter fixed the weakness in 2022, but the flaw is also believed to have been used in the earlier hack affecting more than five million accounts. The DPC announced it was investigating that hack on 23 December.

The hacker has warned Twitter that its best chance of avoiding a large data-protection fine is to buy back the data "exclusively." In November, Meta was hit with a €265 million ($276 million) fine by the DPC after data scraped from more than 533 million Facebook users was leaked online. The UK Information Commissioner's Office (ICO) has said it is aware of "media reports" regarding Twitter user's personal information being made available on the internet and is "engaged in dialogue with Twitter's data protection officer" and will "be making enquiries on this matter." The ICO added that it will co-operate with the Data Protection Commission of Ireland.