Twitter’s former head of security, Peiter “Mudge” Zatko, made some serious allegations about the state of security and data protection in the company on Tuesday.
The whistleblower, who was fired from his post in January, alleges the company was vulnerable to spying, hacking and disinformation campaigns and that technical and organisational shortcomings meant Twitter could not reliably delete user data on request.
But perhaps the most shocking allegations are about Twitter’s culture.
Zatko claims he was prevented from raising Twitter’s security issues with the company’s board of directors—and that other Twitter employees had misled regulators about the company’s progress on security.
The case underlines the importance of maintaining a transparent, communicative culture around security, privacy and other risks.
A Brief History of Twitter’s Security and Privacy Issues
As context for his allegations about the poor state of information security within Twitter, Zatko suggests the company has “earned a reputation for problems with security, privacy and integrity”.
The whistleblower’s disclosure, submitted to the US Congress and obtained in redacted form by the Washington Post, lists several well-known security and privacy incidents involving Twitter.
One such incident was a US Federal Trade Commission (FTC) investigation into allegations that Twitter failed to protect its users’ data. This investigation resulted in a March 2011 consent order requiring the company to improve its security and privacy practices.
Zatko also cites an incident in July 2020 where a group used social engineering tactics to take control of high-profile Twitter accounts, including those of Barack Obama, Joe Biden and Elon Musk, and use them to proliferate a cryptocurrency scam.
And in July, the FTC announced a $150m fine against Twitter for using phone numbers obtained for multi-factor authentication to be used for ad-targeting purposes.
Zatko’s disclosure claims that in 2020, Twitter experienced 40 security incidents that were sufficiently serious to warrant disclosure to regulators.
Zatko’s disclosure states that, while working as Twitter’s head of security, he discovered “egregious deficiencies, negligence, wilful ignorance and threats to national security and democracy”.
Some of the allegations raised in the disclosure include that Twitter:
Only managed around 20% of its internal data sets, resulting in “ignorance and misuse”
Mishandled personal data, including for the purposes of direct marketing
Used security cookies for marketing and functionality purposes
Had serious vulnerabilities at over 50% of its 500,000 servers
Failed to manage employee devices that were used to access core systems
Failed to adequately monitor insider threats
Gave “far too many staff” (around half of Twitter employees) access to sensitive live production systems and user data
Zatko also found that Twitter would be unable to recover “for weeks, months, or permanently” in the event of a “temporary but overlapping” outage of a small number of data cantres.
‘Stiff Pushback’ From Senior Leadership
Zatko claims that he presented his security and privacy findings to senior executives in February last year, around a week before Twitter’s Q1 board meeting.
Zatko claims Jack Dorsey, who was Twitter’s chief executive officer (CEO) at the time, had specifically recruited him for his “ability to speak truth to power” and that he had instructed Zatko “not to hold back” when giving his report.
According to the whistleblower’s disclosure, many Twitter executives were “stunned” to hear his account of the company’s “dire” security and privacy posture.
However, Zatko claims he experience “stiff pushback” and “defensiveness and denial” from Parag Agrawal, who was then Twitter’s chief technology officer (CTO) before taking over from Dorsey as CEO last November.
Withholding Information from the Board
Following the meeting with Twitter executives, Zatko alleges that he was instructed not to present his findings in writing to Twitter’s board of directors.
Instead, the whistleblower claims he was told to convey his account “orally” and at a high level only.
The disclosure alleges that Twitter executives felt that the company’s board should be kept “uninformed” to keep them “very hands-off” and “out of Twitter’s business”.
Zatko complied with the request to keep Twitter’s board in the dark about the company’s security and privacy issues. He also claims that the company failed to provide accurate information to the FTC—a condition of the company’s 2011 consent order.
The whistleblower claims that “with the benefit of hindsight”, he now sees the request as part of an “ongoing effort to restrict critical information and defraud” the company’s board and shareholders.
Maintaining a Transparent and Co-ordinated Risk Culture
The Twitter whistleblowing case underscores the importance of maintaining a transparent and coordinated approach to risk management across an entire organisation, from the board down.
Every employee within an organisation has a role to play when it comes to respecting privacy, maintaining security and mitigating risks.
And to prevent risks from getting out of control, management teams, executives and directors should be actively seeking information about the company’s security posture.