Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Jimmy H. Koo
President Donald Trump loves to tweet. He has millions of personal Twitter Inc. followers, his White House account shows signs of being just as popular and his tweets frequently make news around the globe.
So consider this: If Trump’s Twitter accounts were hijacked, hackers could exploit them to send fake tweets with potentially severe economic and national security consequences for the U.S., cybersecurity professionals told Bloomberg BNA.
Companies could see their stock prices change in reaction to hacked presidential tweets, much as they have already seen temporary stock price dips in direct response to authentic Trump tweets over the past year.
Corporate executives and corporations should better monitor and respond as quickly as possible to the president’s messages, if they cast a company in a bad light. Another lesson is to move employees, particularly high-ranking ones, away from using passwords as a sole security measure, and get them to adopt multifactor authentication and other available login verification procedures, the pros said. In short, the hijacked social media account of a politician or executive of a large company, such as Microsoft Corp. or Facebook Inc., can pose significant dangers from the spread of false information, they said.
“If Trump’s Twitter account is hacked and hijacked, a fake tweet could impact the stock market, threaten national security, or possibly prompt a foreign military action,” Evan Blair, co-founder and chief business officer of Baltimore-based social media security and threat intelligence company ZeroFOX, told Bloomberg BNA.
Twitter is one of the world’s most popular social media platforms, with an average of more than 313 million monthly active users, according to the company.
Trump has been very active on Twitter, often tweeting statements about sensitive issues instead of holding official press conferences or sending press releases. With more than 20 million followers and 34.3 thousand posts, his personal tweets are closely followed, scrutinized and publicized.
The correlation between a Trump tweet, regardless of its veracity, and an immediate effect on stock prices is well documented by Bloomberg data. Various companies, including Boeing Co. and Lockheed Martin Corp., have been on the receiving end of Trump’s market-moving tweets.
In a Jan. 23 report, Bloomberg View provided a playbook of how companies can respond to “possible Twitter attacks by Trump.” It suggested monitoring Trump’s statements, reviewing corporate policies, preparing messages in advance, lining up allies and identifying channels to the White House.
Given the considerable influence that Trump’s personal tweets have, if a hacker compromised Trump’s personal Twitter account and sent a rogue tweet, the resulting consequences could be devastating, the cybersecurity professionals said.
The issue of potential hacking of a Twitter account doesn’t arise because of any special weaknesses in Twitter’s systems or security practices. It has more to do with Twitter users failing to take advantage of available safeguards, the cybersecurity pros said.
In June 2016, the online industry nonprofit group Online Trust Alliance named Twitter as the consumer-facing website with the best security, data protection and privacy practices.
Twitter didn’t respond to Bloomberg BNA’s request for comments.
Blair, of ZeroFOX, told Bloomberg BNA, “take a look at the real world market fluctuations after the President-elect’s tweet targeting Boeing and Lockheed’s contracts, Air Force One & F-35 programs respectively.”
Immediately following Trump’s Dec. 6 tweet criticizing the cost of the new Air Force One, Boeing’s stock initially dropped but recovered throughout the day. According to Bloomberg Technology, Trump’s criticism of the “out of control” costs of the F-35 program “tempered a post-election rally” of defense companies’ shares. Lockheed shares fell 3 percent and Northrop Grumman Corp., which is a major supplier of the F-35, and Raytheon Co. tumbled the most since August 2015, Bloomberg Technology reported.
These weren’t the only instances of Trump’s tweets affecting the market. After Trump tweeted Dec. 22 that the U.S. must “greatly strengthen and expand its nuclear capability,” a uranium exchange-traded fund surged immediately.
In the hands of a bad actor, Trump’s Twitter account “could be used to target certain corporate valuations or even market segments,” Blair told Bloomberg BNA.
Trump’s personal Twitter account “has become the official mouthpiece of the United States, making the national security or domestic safety implications of a compromised account far ranging,” Blair said. “What if a ‘nasty’ tweet was fired off by a bad actor at the North Korean dictator or the Iranian regime? What if a racially charged tweet was published with a call to action?” Blair asked.
There already is an example of Trump’s tweets spurring an official response by another state. Following a series of Trump’s tweets criticizing China’s stances on Taiwan, international trade, the South China Sea and North Korea, Chinese state news agency Xinhua responded in a commentary post that Trump’s “Twitter foreign policy” was “undesirable.” Instead of Twitter, Xinhua called for diplomacy behind closed doors and through traditional channels.
Alex Cox, Director of RSA's Threat Intelligence team in Reston, Va., told Bloomberg BNA that most of the activity associated with a hacked social media account revolves around politically motivated hacktivism, including defacement of websites, phishing and other cybercrimes, such as social engineering phishing of e-mail recipients and leveraging hacks to access other accounts.
“A Twitter account probably has no financial value by itself but depending on the account owner, it could be used to spread false information and create wrong impressions,” Amit Ashbel, director of product marketing and cyber security evangelist at application testing company Checkmarx Ltd. in Tel Aviv, told Bloomberg BNA.
There are real life examples of Twitter accounts being hijacked and posting rogue messages. In May 2016, hackers gained control of pop star Katy Perry’s Twitter account and started posting uncharacteristic tweets filled with profanities.
In December 2016, hacking team OurMine accessed Netflix Inc. and Marvel Entertainment LLC’s Twitter accounts and posted the message, “Hey, it’s OurMine, Don’t worry we are just testing your security, contact us to help you with your security.”
As Ashbel puts it, “these are all potential possibilities, and ones that could spark irreversible upheaval within the U.S. and around the globe.” The possibility of damage is also present for a popular corporate Twitter account. A “hacked account with a large number of followers could create quite a mess and confusion,” for a company, he said.
According to cybersecurity pros, it’s not very difficult to hack into a Twitter account. The true factor lies in the users’ security measures.
“Hacking a Twitter account is generally the same as any other account that uses username/password pair,” Cox said. According to Ashbel, “hacking any account is possible.”
Passwords are “too easy to guess, too often reused and many times not protected in a sufficient capacity,” Cox said.
DataGravity Inc. Chief Information Security Officer Andrew Hay agreed.
“Generally speaking, it’s not that difficult if the account owner utilizes an insecure password and doesn’t employ the more advanced features—such as enabling two-factor authentication,” Hay said. “Like many large social media companies, Twitter is security savvy and offers two-factor authentication measure,” Cox said.
“Two-factor authentication is probably the best course of action that a user could employ for all online accounts,” Hay told Bloomberg BNA. “When linked to a physical token, such as a mobile phone, the difficulty to compromise the account becomes exponentially more difficult,” he said. “Two-factor authentication is a necessity,” Blair said.
Trump should be using “all available measures Twitter provides,” Ashbel said. “Two-factor authentication would be an obvious one,” he said.
To contact the reporter on this story: Jimmy H. Koo in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)