Twitter’s former security chief Peiter Zatko dropped a bombshell whistle-blower complaint against his previous employer alleging cybersecurity negligence and mismanagement.
In his July 6 filing with the US Securities and Exchange Commission (SEC), Federal Trade Commission (FTC) and the US Justice Department (DOJ), Zatko claimed he witnessed “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.”
Zatko said he attempted to bring the security lapses to Twitter executives but was ignored by the company’s board.
“In 2020 alone, Twitter had more than 40 security incidents, 70% of which were access control-related,” he said in the complaint obtained by The Washington Post and CNN. “These included 20 incidents defined as breaches; all but two of which were access control related.”
In addition, Zatko alleged that Twitter lacked basic security controls, including thousands of employee laptops containing complete copies of Twitter’s source code where nearly one-third of those devices either blocked automatic security fixes or had system firewalls turned off.
Zatko claimed that 5,000 full-time Twitter employees had broad access to the platform’s internal software which was not closely monitored, giving workers the ability to tap into sensitive data and alter how the service worked.
“Employees were repeatedly found to be intentionally installing spyware on their work computers at the request of external organizations,” said Zatko.
“The claims I’ve received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further,” said Senator Charles Grassley in a statement. Grassley’s office has reportedly discussed the security complaints with Zatko
“Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” he said.
Zatko, a well-known hacker, was hired by Twitter in late 2020, months after a very public security breach saw hackers hijack Twitter accounts of some of the world’s most famous people, including US President Joe Biden and Tesla CEO Elon Musk, which makes the whistle-blower filing that much more pertinent.
Musk is currently in a legal battle with Twitter to try and get out of a $44 billion contract to buy the social media platform, claiming that Twitter misrepresented user data and that the number of spam bots on the platform is much higher than the company disclosed.
Zatko’s complaint appears to substantiate Musk’s claims, as Zatko said in the filing that Twitter executives do not have the resources to fully understand the true number of bots on the platform.
“Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.” said Twitter spokesperson Madeline Broas. “Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance.”
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” she said. “Security and privacy have long been company-wide priorities at Twitter and will continue to be.”