Home SecurityData Breach Twitter spy scandal a wake-up call for companies to clean up their data access acts

Twitter spy scandal a wake-up call for companies to clean up their data access acts

by ethhack

A tremor rippled across the information security community last week when the Justice Department announced criminal charges against two Twitter employees, Ahmad Abouammo and Ali Alzabarah, for acting as foreign agents under the direction and control of the Kingdom of Saudi Arabia. The complaint alleges that the two men used their ability to access user data to provide the Saudi rulers with private information on more than 6,000 Twitter users.

Abouammo, who was a media partnerships manager at Twitter, is a US citizen. Alzabarah, who was a site reliability engineer at the social media giant, is a Saudi citizen, while a third person who was an intermediary in the theft of some of the data and who did not work at Twitter, Ahmed Almutairi, is also a Saudi citizen.  

Both former Twitter workers had access to a proprietary and confidential information for Twitters users, including the email addresses, birthdates, phone numbers and IP addresses. Alzabarah, who pulled data on four specific users at the request of the Saudis, also had access to users’ biographical information, logs that contained the users’ browser information, and a log of all of a particular user’s interactions at any given point in time, the complaint says.

The former Twitter employees accessed the user data even though neither one of their job duties required access to this information, a reportable violation of Twitter policies at the time regarding user data protection. Twitter says it enhanced its controls and permissions in 2015 to restrict user data access to only those whose duties required it.

Insider breach raises questions

Even so, the situation of insiders spying on behalf of a foreign government raised alarm bells among cybersecurity specialists about what they fear is widespread lax tech company employee access to sensitive data. “There are two big takeaways” from this situation, Mike Chapple, senior director of IT and associate teaching professor, IT, Analytics and Operation at Notre Dame University.

First, “Why did employees who had nothing to do with interactions with individual users have access to the systems that contain that information where they were able to go in and pull this profile information,” Chapple asks. “Anybody who’s been around cybersecurity for a while knows that there’s this principle of ‘least privilege’ that we’ve embraced for decades. It says people should only have the access they need to do their jobs.”

Copyright © 2019 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment