Twitter under fire for profiting from millions of UK users' data sold to advertisers

Natasha Bernal
Twitter has admitted that users' security email and phone numbers were used to target them with advertising - AP

Twitter has been accused of unfairly profiteering from the personal data of up to 14.1 million people in the UK after it used their email addresses to sell targeted advertising without their knowledge.

The San Francisco-based social media giant admitted on Tuesday that it allowed advertisers to benefit from email addresses and phone numbers which it was given by users for security reasons.

The revelations triggered a furious backlash in London.

Tory MP Damian Collins, chairman of the Commons' digital committee, accused Twitter of trampling over users' rights to squeeze out profits by aggressively targeting them with personalised adverts.

He said: "This is a significant breach and a 'hands up apology' is not enough for Twitter to escape a thorough investigation into how individuals’ data could have been misused.

"Unintentional use is no defence. People trust that their personal data – email addresses and phone numbers – are safe in the hands of tech companies, who have a legal duty to keep it safe."

It is understood that all of Twitter's 140 million global users could have been affected by the gaffe, although the company has not confirmed any figures. The firm generated $727m in advertising revenue in the UK last year.

Twitter had users' emails and phone numbers because it uses a security process called two-factor authentication, where they have to log in using a code which has been text to their mobile. They did not know this data would be used for advertising purposes.

Silkie Carlo, of privacy campaign group Big Brother Watch, said the debacle is a "profoundly disappointing reflection" of social media companies' attitudes towards users' privacy, security and data rights. 

She said: "If they truly didn't even know until last month that they were leaking this data, and they don't know how many of their 140 million users are affected, then Twitter really shouldn't be trusted with private data at all." 

Fellow campaign group Privacy International said the breach, which could have impacted anyone using two-factor authentication on the site until last month, is hugely concerning in light of European data protection laws. 

Twitter, which has its European headquarters in Dublin, has notified the Irish Data Protection Commissioner of what happened and apologised.

The watchdog, which has the power to fine firms up to 4pc of their worldwide revenue if they break the law, confirmed it is engaging with the company to establish further details. 

Alan Woodward, data privacy expert at the University of Surrey, criticised Twitter for not notifying users about whether their data had been used for targeted advertising.

He said: "The fact that Twitter may have passed on your telephone number doesn’t undermine the security of the two factor authentication process really.

"It’s more a trust issue now: should I minimise the amount of data I give to big tech companies even if it might keep me secure?"

The social media company said it had addressed the problem as of September 17, and that none of the data was shared externally with its partners or any other third parties. 

This is the latest in a series of breaches for the company, which last year admitted it stored users' passwords in plain text and confirmed a location data leak.