Just weeks after confessing it had tapped into users’ personal data without their consent to bombard them with advertising, Twitter has been forced to get down on its knees once more after admitting to yet another breach of sensitive information.
The social media giant has said it “inadvertently” used phone numbers and email addresses, provided by users to set up two-factor authentication for added security, to serve targeted ads.
The issue stemmed from the company’s “Tailored Audiences” ad scheme, which allows companies to target ads against their own marketing lists, such as phone numbers and email addresses.
But Twitter found that when advertisers uploaded their marketing lists, it matched Twitter users to the phone numbers and email addresses they had submitted to set up authentication on their account.
In a statement, the firm said: “When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologise.”
Twitter could not – or at least refused – to confirm how many people were affected by the issue, but claimed that no personal data was shared externally with its partners or any other third parties.
The company added: “As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.” Quite why it has taken the firm over two weeks to inform users is anyone’s guess.
In August, Twitter admitted to two separate issues in which it had shared personal data with advertisers without their permission. At the time, the tech giant insisted it was “taking steps to make sure we don’t make a mistake like this again”.
The latest cock-up comes as the Irish Data Protection Commission has confirmed it has concluded investigations into Twitter as well as Facebook’s WhatsApp over possible breaches of GDPR.
The investigations will now move into the decision-making phase, with Commissioner Helen Dixon issuing draft decisions within the next few weeks.
The tech industry – and data protection experts – are keeping a close eye on the rulings as they will be the first to come out of Ireland since GDPR came into force on May 25 last year and are likely to be seen as a litmus test for future enforcement action.
The first rulings to come out of the UK Information Commissioner’s Office – proposed fines against BA and Marriott International totalling £282m – sent shockwaves through the sector.
However, with tech giants the focus of most GDPR complaints, the pressure will be on Dixon to stamp her authority. Even so, when asked recently what action was likely, in light of the US settlement with Facebook, Dixon responded: “We’re not really looking at $5bn or what the FTC has done. We’ve got to look at this fairly under the legal framework that we have.”
Twitter admits GDPR breach after exploiting user data
Verizon faces GDPR probe as WhatsApp decision looms
$5bn Facebook fine blasted as ‘just a slap on the wrist’
Now Marriott takes a £99m battering for GDPR failings
BA faces record £183m GDPR fine for data meltdown
GDPR one year on: Data is now a major boardroom issue