Twitter Inc. was “10 years behind” industry security standards and had little grasp of the vast troves of data it collected, whistleblower Peiter “Mudge” Zatko claimed in devastating testimony before the Senate on Tuesday.
“They don’t know what data they have, where it lives, and they don’t know how to protect it,” Zatko, who led the company’s information security approach, said in testimony before the Senate Judiciary Committee.
Upon joining Twitter
in late 2020, Zatko said he discovered “this enormously influential company was over a decade behind” industry standards and when he raised concerns about security vulnerabilities to company executives, they failed to act.
Chief among his concerns: The company’s unwillingness to remove a foreign agent on Twitter’s payroll in a foreign office. “There were thousands of failed attempts to access internal systems that were happening per week and nobody was noticing,” he said, because of the lack of logging of how its internal systems were being used.
Earlier this year, a Saudi national who worked for Twitter was convicted by a federal jury for stealing the personal data of dissidents who criticized the Saudi regime and handing the data over to the Saudi government.
Equally galling, Zatko cited an internal study conducted by engineers. It found for only about 20% of the data Twitter collects, did it know “why they got it, how it was supposed to be used, when it was supposed to be deleted.”
In November 2020, Twitter
hired Zatko — who previously worked at the Pentagon, a Google
division, and fintech firm Stripe — to fortify cybersecurity and privacy at the company following a high-profile hack allegedly spearheaded by a Florida teenager in July 2020 that compromised the Twitter accounts of some of the most famous people on the planet, including then-presidential candidate Joe Biden.
“It’s not far fetched to say a Twitter employee could take over the accounts of all of the senators in this room,” warned Zatko, who identified instances where foreign governments, including China, sought access to Twitter’s user data through various coercive methods.
The damaging testimony, which underscored a seeming unwillingness or indifference by Twitter leaders such as co-founder Jack Dorsey and the board of directors to address Zatko’s concerns, prompted calls by senators to restructure Twitter.
“I don’t see how [Twitter Chief Executive Parag] Agrawal can maintain his position at Twitter” if Zatko’s claims are accurate, Sen. Charles Grassley, R-Iowa, said. Agrawal did not accept an invitation to testify, Grassley added, because Twitter was concerned his testimony could jeopardize the company’s ongoing litigation with billionaire Elon Musk to acquire the company. Musk is attempting to back out of the $44 billion deal, which goes to Delaware Court of Chancery in October.
Zatko could also find himself at the center of renewed regulatory scrutiny of Twitter, as was the case after Frances Haugen blew the whistle on then-Facebook nearly a year ago. The company has since been renamed Meta Platforms Inc.
and is being sued by the Federal Trade Commission to block its planned purchase of virtual reality firm Within.
“Twitter has an outsize impact on global politics and events, and it even tried to reposition itself as a news app several years ago. The complaint has already caught the eye of regulators, and [Zatko’s] testimony could add fresh fuel to the fire,” Insider Intelligence principal analyst Jasmine Enberg said.
“I did not make my whistleblower disclosures out of spite or to harm Twitter; far from that. I continue to believe in the mission of the company and root for its success,” Zatko told lawmakers on Tuesday. “But that success can only happen if the privacy and security of Twitter’s users and the public are protected.”
Twitter said Zatko’s allegations were “riddled with inaccuracies,” and that the company prioritizes security and privacy.
Zatko was fired for “ineffective leadership and poor performance,” Agrawal wrote in an email to employees, calling the disclosures a “false narrative that is riddled with inconsistencies and inaccuracies” and presented out of context.