Twitter whistleblower tells Senate of ‘egregious’ security failings by company
A Twitter whistleblower who accused the company of “egregious” security deficiencies testified in front of Congress on Tuesday, alleging those failures made the platform vulnerable to exploitation, including by foreign agents.
Former hacker Peiter “Mudge” Zatko worked as head of security at Twitter from 2020 until he was fired in 2022, and says in that time he witnessed “extreme, egregious deficiencies by Twitter in every area of his mandate”.
“I am here today because Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors,” Zatko said as he began his sworn testimony. “They don’t know what data they have, where it lives and where it came from and so, unsurprisingly, they can’t protect it,” Zatko said. “It doesn’t matter who has keys if there are no locks.”
Zatko filed a whistleblower complaint in July with Congress, the justice department, the Federal Trade Commission and the Securities and Exchange Commission alleging that Twitter mislead regulators and the public about its safety practices.
At the hearing on Tuesday, he detailed those claims, saying that Twitter runs out-of-date and vulnerable software on more than half of its data center servers. He summarized concerns into two main categories: the company does not know enough about its own data, and employees have too much access to data.
“It’s not an exaggeration that any employee could take over the accounts of any senator in this room,” he said.
Zatko alleged that Twitter was breached by foreign intelligence agencies in “multiple episodes”.
He said Twitter knowingly allowed the government of India to place its agents on the company payroll, adding he spoke with “high confidence” about a foreign agent placed by the Indian government to “understand the negotiations” between India’s ruling party and Twitter about new social media restrictions.
Responding to questions from Senator Chuck Grassley of Iowa about reports that the FBI had warned that the company had inadvertently employed at least one member of China’s state security ministry, Zatko said Twitter “lacks the fundamental abilities to hunt for foreign intelligence agencies and expel them on its own”.
He alleged foreign agents at the company would have access to large swaths of user data, and said that when he once alerted Twitter about a foreign agent, he was dismissed: “Since we already have one, what is the problem if we have more?” he says he was told.
Twitter did not immediately respond to a request for comment about the allegations Zatko made at the hearing, but the company has called Zatko‘s description of events “a false narrative ... riddled with inconsistencies and inaccuracies” and lacking important context.
A representative for Zatko did not immediately respond to a request for comment either.
Grassley said Zatko’s allegations paint a “picture of a company that is solely focused on profit at any expense.” He added: “Twitter has a responsibility to make sure that data is protected and doesn’t fall into the hands of foreign powers.”
Zatko has also accused Twitter of doing little to combat problems with spam bots – an allegation that bolsters Elon Musk’s case for backing out of his Twitter acquisition. The billionaire reversed course on a $44bn deal to purchase Twitter citing concerns about the number of illegitimate accounts.
Those allegations were not addressed in the hearing, but a Delaware judge overseeing the lawsuit Twitter brought against Musk to complete the deal has ruled that Zatko’s allegations can be used in the trial, which is set to start on 17 October.
Zatko is the latest whistleblower to come forward against big tech, after bombshell revelations from the former
Facebook employee Frances Haugen in 2021, who accused the company of knowingly causing harm to its users.
The former Twitter executive’s accusations differ, however, in that he did not share the troves of documents supporting his claims that Haugen brought in her whistleblowing.
Still, the hearing is the latest to put big tech in the hot seat as companies in the industry are increasingly under fire for their vast power, and comes as Twitter faces fresh scrutiny for its news operations, said Jasmine Enberg, a principal analyst at market research firm Insider Intelligence.
“Twitter has an outsized impact on global politics and events, and it even tried to reposition itself as a news app several years ago,” she said. “The complaint has already caught the eye of regulators, and [Zatko’s] testimony could add fresh fuel to the fire.”
In the hearing, lawmakers expressed a need for more regulation of Twitter and other social media firms. Senator Richard Blumenthal even suggested the need for a new regulator agency within the Department of Justice “focusing on privacy, security, protecting users as well as our national security”, he said.
Zatko joined calls for more oversight. He said there had not been enough government enforcement when it comes to the operations of big tech, and that the Federal Trade Commission is “in over its head” when going up against huge tech firms.
“They’re left letting companies grade their own homework,” he said. “And I think that’s one of the big challenges.”