Ireland’s data commissioner says it is trying to “establish further details” from Twitter, after the company this week admitted it had “inadvertently” used users’ phone numbers and emails – provided for 2FA security purposes – to help serve targeted ads.
In an undated notice tucked away on its help centre page, Twitter said “we cannot say with certainty how many people were impacted by this”.
Twitter 2FA Apology: Follows Facebook’s Fine
The company is the latest social media platform to be caught deploying users’ personal details for purposes they have not explicitly agreed to.
Facebook was hit with a record $5 billion fine by the US’s FTC in July for privacy abuses that included exactly the same thing. As part of the Department of Justice’s requirements in a 20-year settlement was a blanket ban on the practice.
Twitter’s European operations are headquartered in Ireland and any European data breaches are the responsibility of Irish data commissioner.
Its office told Cmputer Business Review: “Twitter has contacted us in relation to this issue and we are currently engaging with them to establish further details.”
Read More: Facebook Fined a Record $5 Billion – FTC Commissioner Slams “Blanket Immunity” for Zuckerberg, Sandberg
Twitter said in the post that it had “recently discovered,” that when users had provided the platform with mobile numbers and email address in order to reinforce their personal security, it was matching those details with third-party marketing lists.
Twitter are maintaining that this was not intentionally done stating that “This data may have inadvertently been used for advertising purposes.”
See also: Rolling Out 2FA: The Simple Step Your Business Should Take to Improve Security
Twitter touts its ‘Tailored Audiences’ feature to advertisers, which helps marketers target specific Twitter users.
Company typically come armed with a marketing database that often contains email or mobile numbers they have independently collated.
Twitter admitted that: “When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes.”
Twitter Data Breach Uncertainty
According to them the Twitter 2FA issue is fixed as of September 17, 2019.
The company doesn’t say why the personal data was not in a segregated location or system, or why users were not notified that this may happen, simply commenting cryptically: “We have addressed the issue that allowed this to occur.”
In the European Union this issue, if investigated, will most likely be handled by the Irish Data Protection Commissioner Helen Dixon, who is already in the process of deciding a decision against Facebook and Twitter regarding previous data breaches.