Former Twitter chief security officer Peiter "Mudge" Zatko is blowing the whistle on the social media platform's data security shortcomings, claiming that company executives turned a blind eye to the problem while focusing on profits.
Zatko appeared before the Senate Judiciary Committee on Tuesday, saying that after the FTC ordered Twitter to protect users’ private data, the company failed to do so.
"What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards," Zatko said. "The company's cybersecurity failures make it vulnerable to exploitation, causing real harm to real people."
"When I brought concrete evidence of these fundamental problems to the executive team and repeatedly sounded the alarm of the real risks associated with them -- and these were problems brought to me by the engineers and employees of the company themselves — the executive team chose instead to mislead its board, shareholders, lawmakers, and the public instead of addressing them."
As for why this happened, Zatko stated that "key parts of leadership lacked the competency' to understand the scope of the problem," and that on top of this, "executive incentives led them to prioritize profits over security."
As for the problem itself, Zatko said it could be broken down into two parts. One is that the company has so much information that "They don’t know what data they have, where it lives, or where it came from," and as a result, they "can’t protect it." The other is that too many Twitter employees have access to too much information.
Illustrating that point, Zatko claimed that it is "not far-fetched" to say a Twitter "could take over the accounts of all of the senators in this room."
Zatko later described a real-world incident that happened, when Twitter’s Chief Technology Officer asked him about a potential threat a Twitter user made to members of the board and executive team. Zatko said he then asked a Twitter employee what the company knew about the individual.
"And then it only took that person maybe ten minutes to get back to me and said, ‘Okay, here's who they are. This is the address where they live. This is where they are physically at this moment. They're on their phone. We know their phone number. We also know all of the other accounts that they've tried to set up on the system and hide. And we know who they are on the other social media platforms as well,'" he recalled.
Zatko said that the fact Twitter did not even know all the data it was collecting was a problem, as he had wondered why the company kept having the same amount of the same types of problems every year.
While the FTC had ordered Twitter to improve its data security years ago, Zatko asserted that the agency "is a little over their head," given that big tech companies are so large.
"They’re left letting companies grade their own homework. And I think that’s one of the big challenges," he said.
Besides the fact that so many Twitter employees had access to so much information, Zatko said, another problem was that the company did not have a solid infrastructure for detecting who accessed what information or when.
At one point in the hearing, Zatko went into detail about what a person could do with a Twitter user's information that the company had stored.
"This is the information that you need in order to start taking over other people's accounts," he said. "With your phone number and an email address, I can hijack your phone number. I can then change your Gmail, your Coinbase, your Ameritrade, your other accounts. I can cause financial harm that way. I can then assume your identity."
"But more importantly, I probably want to be able to understand your whereabouts, your network," he added, explaining that "there might be organizations or groups in the United States where once I know your home address and your home phone number, I can approach you in real life, I can put pressure on you, I could possibly recruit you."
All this made the company a desirable target to plant an asset, he noted, such as what has already happened in the past when the company learned from the FBI that at least one Chinese agent had been working for the company. India also had assets there as well.
"If you placed somebody on Twitter … as we know has happened, it would be very difficult to Twitter to find them," Zatko said. "They would probably be able to stay there for a long period of time and gain a significant amount of information to provide back on either targeting people or on information as to Twitter's decisions and discussions and to the direction of the company."
Leadership, however, did not appear very concerned about this.
"I'm reminded of one conversation with an executive when I said I am confident that we have a foreign agent," Zatko recalled. "And their response was, ‘Well, since we already have one, what does it matter if we have more?’"
Twitter CEO Parag Agrawal denied allegations Zatko made in his whistleblower complaint. In a message to employees reported by Bloomberg, he said the company was "reviewing the redacted claims that have been published, but what we’ve seen so far is a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context."