(Bloomberg Opinion) -- Considering the fact that Twitter Inc. was still in damage-control mode Thursday from what was arguably the worst security failure in its history, it was a little surprising that investors didn't seem to care all that much, with its stock price barely down in afternoon trading. The market’s initial assessment seems to be that the social media platform’s users will take the breach in stride and return to the service — which does seem to have been the case so far.But even if Twitter’s user growth is relatively unaffected, shareholders shouldn’t overlook what the latest in a long series of security incidents says about the how the company works and why its stock has been such a disappointment: Twitter’s engineering prowess and management practices are simply second-rate.
On Wednesday, numerous Twitter accounts from business leaders, celebrities to major companies — including Elon Musk, Barack Obama, Jeff Bezos and Apple — were hacked and posted cryptocurrency scam messages, promising to double the amount of any funds sent to a specific Bitcoin address. Twitter later admitted to the unprecedented nature of the breach, saying it believes it fell victim to a “coordinated social engineering attack,” where hackers were able to take control of its internal systems. CEO Jack Dorsey tweeted, “Tough day for us at Twitter. We all feel terrible this happened.”
Certainly, hedge fund Elliott Management must not be pleased with the turn of events. The activist hedge fund and Twitter stakeholder reached an agreement with the company earlier this year to restructure the company’s board, standing down on an initial goal of replacing management including Dorsey. The lackluster security is more ammunition for Twitter’s critics who have long questioned the company’s efficacy in using its engineering resources. Even as Chinese super-apps such as WeChat have expanded upon core messaging services to build vast consumer internet empires, and Facebook Inc. has transformed its platforms into advertising money machines, the basic nature of Twitter’s offering hasn’t changed much over the past decade. That, even as the company spends an incredible amount in research and development annually — including nearly $700 million last year alone. Where does all the money go? Twitter’s financial performance has been anemic as well. It has yet to crack the monetization code even as its daily usage metrics improve. In its latest reported quarter, Twitter posted the worst ad revenue trends among the major U.S. internet ad platforms, with sales rising a meager 3% year over year. That paled in comparison to Facebook’s 18% growth for the same time period — even as Twitter is a fraction of its larger competitor’s size. Once again it comes down to technical aptitude. Twitter has struggled to build more advanced, transaction-oriented direct-response ads, while its competitors have thrived in that market.
Wednesday evening’s response to the attack gave further evidence of the structural issues. While the company said it “immediately” took down the posts and locked affected accounts when it found out about the hack, my observations point to a slower response. I directly saw how scam messages with the same Bitcoin address continued to spread for more than an hour to different accounts, and how posts stayed up for some time before being deleted. It made me wonder why Twitter couldn’t move faster in automatically deleting any message posted with this specific cryptocurrency address, and suggested a lack of security defense capabilities.
The problem is, we’ve seen this many times before — and that doesn’t speak well for management. There is no excuse for what happened. In 2010, Twitter agreed to a settlement with the Federal Trade Commission for not adequately protecting the personal information of its users. The government said at the time Twitter had “serious lapses” in its security that allowed hackers to get “unauthorized administrative control” to posts from the accounts of high-profile users such as Barack Obama. Sound familiar?
There were other incidents. In 2017, a contractor was able to take down President Donald Trump’s account for a short time period. Last August, hackers took control of Dorsey’s own account and posted hate messages. Finally, late last year, the Justice Department charged two of the company’s former employees for possibly accessing internal data for Saudi Arabia. One would think Twitter would have vigorously built fortress-level security barriers and rock-solid safeguards to protect against another intrusion. Clearly, whatever the company did wasn’t enough.We do not yet know the full extent of the damage from the latest incident. Did the hackers get access to personal information such as email addresses, phone numbers and passwords? Were personal direct messages sent between users stolen?
For some groups — like the media — Twitter is still an indispensable part of the job. But, if it turns out the hack was far worse than just a Bitcoin scam, it could put the company’s user base in jeopardy — especially if there are more lapses going forward. Whatever the fallout, the security debacle serves as a reminder of Twitter’s technical and business deficiencies. And unless serious changes are made, the outlook for the company isn’t much better. This might be time for an investor like Elliott to get active again.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
Tae Kim is a Bloomberg Opinion columnist covering technology. He previously covered technology for Barron's, following an earlier career as an equity analyst.
For more articles like this, please visit us at bloomberg.com/opinion
Subscribe now to stay ahead with the most trusted business news source.
©2020 Bloomberg L.P.