Twitter's Ex-Security Chief Files Whistleblower ComplaintPeiter Zatko Alleges 'Extreme, Egregious Deficiencies' in Twitter's Security
Twitter's former security chief, Peiter Zatko, filed with the U.S. federal government a whistleblowing complaint against the social media giant alleging "extreme, egregious deficiencies" in security and user privacy.
In a complaint to the Securities and Exchange Commission Zatko says he believes these deficiencies violated the law, including Twitter's 2011 settlement with the Federal Trade Commission. He also alleges senior executives misrepresented the efficacy of the company's security program to the board of directors and allowed foreign government agents to infiltrate its ranks and obtain unchecked access to information on its 238 million daily users.
Twitter, the SEC and FTC didn't immediately respond to a request for comment.
A company spokesperson says in an emailed statement that Zatko is pushing "a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context." Zatko was dismissed from his position in January, the company says, for "ineffective leadership and poor performance."
News of the complaint by Zatko, who's better known in cybersecurity circles as "Mudge," was first reported by The Washington Post. It has published a copy of the complaint, as well as the results of an external report Zatko commissioned in 2021 to study Twitter's approach to misinformation. Also published: a February report from Zatko to Twitter, provided at its request, to outline outstanding security problems. The documents have been partially redacted, including to obscure the details of alleged security problems. A spokesman for Whistleblower Aid, an organization providing Zatko with legal assistance, confirmed the documents' authenticity.
Zatko gained fame as a member of the "L0pht" ethical hacking collective in the 1990s and later moved to top cybersecurity research positions at the Defense Advanced Research and Projects Agency and Google.
First-Ever 'Head of Security'
Zatko was hired by then-Twitter CEO Jack Dorsey in November 2020 to serve in a newly created position: head of security, working alongside the then recently hired CISO, Rinki Sethi.
Their appointment followed Twitter having recently suffered a major and embarrassing hack attack (see: 3 Charged in Twitter Hack).
In November 2021, Twitter CTO Parag Agrawal took over as CEO. Zatko's complaint notes that Agrawal had been responsible for security decisions in his CTO role.
In January, both Zatko and Sethi were fired. A corporate memo said "the changes followed an assessment of how the organization was being led and the impact on top-priority work" (see: Twitter: Head of Security Reportedly Fired; CISO to Leave).
Alleged Penetration by 'Foreign Intelligence Agents'
Zatko's complaint alleges that numerous security problems remained unresolved when he left. It also alleges that Twitter had been "penetrated by foreign intelligence agents," including Indian government agents as well as another, unnamed foreign intelligence agency. A federal jury recently found a former Twitter employee guilty of acting as an unregistered agent for Saudi Arabia while at the company (see: Ex-Twitter Employee Found Guilty of Spying for Saudi Arabia).
In his February final report to Twitter, Zatko alleged that "inaccurate and misleading" information concerning "Twitter's information security posture" had been transmitted to the company's risk committee, which risked the company making inaccurate reports to regulators, including the FTC.
According to his report, the risk committee had been told that "nearly all Twitter endpoints (laptops) have security software installed." But he said the report failed to mention that of about 10,000 systems, 40% were not in compliance with "basic security settings," and 30% "do not have automatic updates enabled."
Zatko also says more than half of the company's servers kept inside data centers operate with "non-compliant" kernels or operating systems and that many of the servers are unable to support encryption.
Mishandling Personally Identifiable Information
Zatko's report also warns of overly broad access to information by insiders, and that the company has a "limited ability to effectively constrain and mitigate insider risk" because it lacks "mature access control" as well as robust "separation of sensitive data and systems."
The company repeatedly used email addresses and phone numbers collected for security purposes for marketing purposes, Zatko alleges. Twitter agreed in May to pay a $150 million civil penalty to the FTC to settle an investigation into those allegations. Zatko's complaint says the company's product sales team was guilty of mishandling personally identifiable information for ad-targeting purposes even during the period of negotiations leading up to the May settlement. Zatko says he recalls a Twitter executive responding to the incident by saying, "So we only started to address the problem, and then got side tracked and forgot about it? We do that for everything."
Twitter entered into a two decade consent agreement with the FTC to improve its data security and privacy practices in 2011.
Zatko tells The Washington Post that his decision to go public with his allegations against Twitter resulted from him feeling "ethically bound" to detail security failings. "This is not a light step to take," he added.
Whistleblower Protection; Potential Reward
The SEC offers legal protection to whistleblowers. Zatko could also be rewarded if information he provides leads to a successful enforcement action.
"Whistleblower awards can range from 10% to 30% of the money collected when the monetary sanctions exceed $1 million," the SEC says.
The allegations could play into moves by Elon Musk to back out of his $44 billion agreement to take control of Twitter. Musk's lawsuit alleges in part that Twitter understated the number of fake accounts, or "spam bots," running on its platform. Twitter disputes those claims.
Among the allegations contained in Zatko's complaint is that Twitter CEO Agrawal "tweeted false and misleading statements about Twitter's handling of bots."
On Monday, Musk subpoenaed Twitter's former CEO, Dorsey, as part of his case. As the Guardian reports, Musk and Dorsey are friends.