Twilio's lack of consistency in security documentation

Travis Good
August 15, 2022

The big news last week regarding Twilio's data breach led us to dig into what happened. The breach resulted from a successful phishing attack sent via text message — a technique referred to as smishing.

As a security platform built on Slack that offers awareness training, phishing games, compliance training, ongoing security surveys, quizzes and more — we focus heavily on scams, phishing/smishing, and keeping employees up to date on current attacks and threats. Stopping what happened at Twilio is essentially the reason why we exist as a company.

As we dug into the breach and into Twilio's publicly available material on its security program, we found inconsistencies. We were surprised by the policies that we saw, as they lacked best security practices.

In this post we cover what we learned about Twilio that likely increased the odds of it being a victim of a targeted attack. We also discus why transparency around your infosec program is valuable but only if you keep it consistent, up to date, and follow through with implementation.

Twilio and Security Awareness Training

The attack against Twilio used US mobile carriers to deliver targeted SMS phishing messages to Twilio employees. Here's an example of the message:

Phishing attacks, regardless of the platform (email, SMS, etc.), are extremely common. So much so that scams should be on your mind every time you get a new message.

Even with robust email and text filtering, it's essentially impossible to automate away 100% of phishing attacks. Regardless of the security tooling in place, phishing scams eventually reach the target victims. Sometimes attackers need to get creative. Sometimes they just need to keep attacking until someone eventually bites, as these attackers did by using SMS. When you have thousands of employees, there's a higher likelihood that someone in your organization will fall victim to an attack.

Given the fact that you can't eliminate all phishing scams from reaching targets, educating employees is a key aspect of protecting against the risk of phishing. Most organizations train their staff using a combination of security awareness training and phishing simulations.

According to Twilio's public security page:

  • “During onboarding, all new hires must complete Twilio's Security Awareness Training, which explains common security threats, security policies, and best practices.”
  • “The Twilio workforce is required to complete the Twilio Security Awareness Training annually and acknowledge our set of security policies and standards.”
  • “Twilio educates its workforce on protecting and securing their home networks and devices, including recommendations for Wi-Fi networks, known device attack vectors such as Bluetooth, physical security, and best practices for using software and handling data.”

The above is the minimum training required for security certifications and frameworks like SOC 2, ISO 27001, HIPAA Security Rule Training, etc; Twilio has many security and privacy certifications. The problem with this approach is that learning anything annually, especially something as pervasive to work as security hygiene, is not effective.

It's surprising Twilio does not do more frequent security training and it's surprising that they publish these training procedures on their public marketing site.

But wait, Twilio says something else

Twilio also documents training in its Security Overview. In that document, Twilio states the following:

5.2 Employee Training. At least once (1) per year, Twilio employees must complete a security and privacy training which covers Twilio's security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Twilio's dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees.

Maybe Twilio does security training more frequently than once per year? Maybe they also run phishing campaigns? It's surprising to have multiple public notices on security training and not have them be consistent. Neither of the above linked documents is necessarily the established internal Twilio policy on security training. Nothing is prescriptive in what is available, so it's hard to conclude anything other than the fact that Twilio doesn't publicly commit to anything more than annual security awareness training (which, again, is not effective).

Twilio is Taking Action

To Twilio's credit, they are improving their approach to security awareness training. According to Twilio, since the recent incident:

We have reemphasized our security training to ensure employees are on high alert for social engineering attacks, and have issued security advisories on the specific tactics being utilized by malicious actors since they first started to appear several weeks ago. We have also instituted additional mandatory awareness training on social engineering attacks in recent weeks.

Attacks, security incidents, and data breaches are inevitable. How we handle them — communications, improvements, transparency — matters a lot.

Twilio seems to be taking this seriously. I'm curious if their external security documentation will change to reflect more of a commitment to regular training and the above changes they wrote about in regards to this specific incident.

Transparency in Security

One additional lesson from this incident is to be consistent with your security messaging. Security and trust is a major part of closing customers and making partners. Because of that, there's a trend to be transparent about security, to try to use it as an asset.

When you are transparent, ensure that the content you post publicly is kept up to date and that it is consistent even if it's written by different groups — legal, marketing, IT, compliance, etc.

Inconsistencies in how you talk about internal security doesn't build trust.