Whistleblower accuses Twitter of cybersecurity negligence

Peiter Zatk, Twitter鈥檚 former head of security, describes willful ignorance by the company鈥檚 executives on counting the millions of accounts that are automated 鈥榮pam bots鈥�. (AP)
Short Url
  • Peiter Zatko served as Twitter鈥檚 security chief until he was fired early this year
  • Better known by his hacker handle 鈥楳udge,鈥� Zatko is a highly respected cybersecurity expert

Twitter鈥檚 former head of security alleged that the company misled regulators about its poor cybersecurity defenses and its negligence in attempting to root out fake accounts that spread disinformation, according to a whistleblower complaint filed with US officials.
The revelation could create serious legal and financial problems for the social media platform, which is currently attempting to force Tesla CEO Elon Musk to consummate his $44 billion offer to buy the company. Several members of Congress on Tuesday called on regulators to investigate the claims.
Peiter Zatko, who served as Twitter鈥檚 security chief until he was fired early this year, filed the complaints last month with the US Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice. The legal nonprofit Whistleblower Aid, which is working with Zatko, confirmed the authenticity of a redacted copy of the complaint posted online by the Washington Post.
鈥淭his was a last resort for him,鈥� said John Tye, the group鈥檚 co-founder and chief disclosure officer, in an interview Tuesday. He said Zatko exhausted all attempts to get his concerns resolved inside the company before his firing in January.
Among Zatko鈥檚 most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users. Zatko also accuses the company of deceptions involving its handling of 鈥渟pam鈥� or fake accounts, an allegation that is at the core of Musk鈥檚 attempt to back out of the Twitter takeover.
Better known by his hacker handle 鈥淢udge,鈥� Zatko is a highly respected cybersecurity expert who first gained prominence in the 1990s and later worked in senior positions at the Pentagon鈥檚 Defense Advanced Research Agency and Google.
He joined Twitter at the urging of then-CEO Jack Dorsey in late 2020, the same year the company suffered an embarrassing security breach involving hackers who broke into the Twitter accounts of world leaders, celebrities and tech moguls, including Musk, in an attempt to scam their followers out of bitcoin.
Twitter said in a prepared statement Tuesday that Zatko was fired for 鈥渋neffective leadership and poor performance鈥� and said the 鈥渁llegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.鈥� The company called his complaint 鈥渁 false narrative鈥� that is 鈥渞iddled with inconsistencies and inaccuracies and lacks important context.鈥�
Zatko鈥檚 attorneys, Debra Katz and Alexis Ronickher, said Twitter鈥檚 claim about his poor performance is false and that he repeatedly raised concerns about 鈥済rossly inadequate information security systems鈥� with top executives and Twitter鈥檚 board of directors. The lawyers said that in late 2021, after the board was given 鈥渨hitewashed鈥� information about those security problems, Zatko escalated his concerns, 鈥渃lashed鈥� with CEO Parag Agrawal and board member Omid Kordestani and was fired two weeks later.
The 84-page complaint describes a broken corporate culture at Twitter that lacked effective leadership and where Zatko said top executives practiced 鈥渄eliberate ignorance鈥� of pressing problems. His description of Dorsey鈥檚 leadership style is particularly scathing; he described the Twitter founder as 鈥渆xtremely disengaged鈥� during the last months of his tenure as CEO to the point where he would not even speak during meetings on complex issues facing the company.
Zatko said he heard from colleagues that Dorsey would remain silent for 鈥渄ays or weeks.鈥� Dorsey announced he was stepping down as Twitter CEO in November 2021.
The disclosure says Twitter offered no monetary incentives for improving security and platform integrity, although the company did offer $10 million bonuses last year for top executives who could generate short-term user growth.
Among Zatko鈥檚 accusations of cybersecurity malpractice: Software and security updates were disabled on more than a third of employees鈥� computers 鈥� unduly exposing them to malware 鈥� and it was common for people to install 鈥渨hatever software they wanted on their work systems.鈥� Such lapses are typically considered cardinal sins in cybersecurity.
Whistleblower Aid said it is legally precluded from sharing Zatko鈥檚 statement. The same group worked with former Facebook employee Frances Haugen, who testified to Congress last year after leaking internal documents and accusing the social media giant of choosing profit over safety.
鈥淚 wouldn鈥檛 say he鈥檚 happy about having to become a whistleblower, but he鈥檚 resolute in his decision,鈥� Tye said. 鈥淎nd committed to getting to the bottom of this.鈥�
Among the most alarming complaints is Zatko鈥檚 allegation that Twitter knowingly allowed the Indian government to place its agents on the company payroll where they had 鈥渄irect unsupervised access to the company鈥檚 systems and user data.鈥�
A 2011 FTC complaint noted that Twitter鈥檚 systems were full of highly sensitive data that could allow a hostile government to find precise location data for specific users and target them for violence or arrest. Earlier this month, a former Twitter employee was found guilty after a trial in California of passing along sensitive Twitter user data to royal family members in 黑料社区 in exchange for bribes.
The complaint said Twitter was also heavily reliant on funding by Chinese entities and that there were concerns within Twitter that the company was providing information to those entities that would enable them to learn the identify and sensitive information of Chinese users who secretly use Twitter, which is officially banned in China.
Zatko also describes willful ignorance by Twitter executives on counting the millions of accounts that are automated 鈥渟pam bots鈥� or otherwise have no value to advertisers because there is no person behind them. Zatko cited a 鈥渄amning鈥� 2021 outside report that found Twitter鈥檚 tools for tackling bots were neither sufficiently automated or sophisticated and instead relied on humans 鈥渘ot adequately staffed or resourced, to address the misinformation and disinformation problem.鈥�
Alex Spiro, an attorney representing Musk in his effort to back out of his Twitter acquisition deal, said lawyers have issued a subpoena for Zatko. 鈥淲e found his exit and that of other key employees curious in light of what we have been finding,鈥� Spiro wrote in an email Tuesday. Spiro said Zatko and Musk have not been in contact at any time this year.
Tye said 鈥渉e鈥檚 never met Elon Musk. Doesn鈥檛 know Elon Musk. They know people in common.鈥� Asked if mutual friends could have shared information about Twitter鈥檚 bot problems with Musk, Tye said Zatko 鈥渉as not communicated with any other party about his disclosures鈥� since filing the complaints in July.