A security hole exposed the private tweets of some Android users between November 3, 2014 and January 14, 2019.

Twitter has since corrected the security flaw but it may still face an investigation from the Irish Data Protection Commission (DPC). The EU’s GDPR allows for a fine of up to 4% of company revenue if the rules were violated. Twitter posted revenues of $2.87 billion in 2017.

Daniel Stoller and Sara Merken filed this report in Bloomberg:

The social media giant Jan. 17 said in a blog post that a privacy setting for some Twitter for Android users may have been disabled. The new Twitter data security scandal adds to the company’s EU privacy woes. EU officials already were investigating the social media giant’s data breach response and privacy practices.

“The Irish Data Protection Commission (DPC) has been notified of this data breach and we are currently assessing its contents,” Graham X. Doyle, head of communications at the commission, told Bloomberg Law Jan. 17. The privacy office hasn’t launched a formal investigation into the new security flaw, he said.

The scrutiny may put more pressure on the U.S.-based tech company to improve privacy practices or face massive EU privacy fines of 4 percent of the company’s annual revenue under the EU’s General Data Protection Regulation. The company earned $2.87 billion in revenue in 2017, Bloomberg data show.

“The DPC opened a statutory inquiry in late 2018 into Twitter’s obligation under the General Data Protection Regulation (GDPR) to implement technical and organizational measures to ensure the security and safeguarding of the personal data it processes following the receipt of a number of breach notifications from the company since May 25, 2018,” Doyle said. “This inquiry is ongoing.”