Twitter misled officials on security issues: Complaint
(NewsNation) — Twitter’s former head of security is accusing the social media giant’s executives of misleading federal regulators and its board of directors about deficiencies in its defenses against hackers and spam.
The accusations — spelled out in a whistleblower complaint obtained by The Washington Post and CNN — said Twitter has major security problems that pose a threat to users’ personal information, company shareholders, national security and to democracy, the cable network said.
The Washington Post wrote that the complaint, made by Twitter’s former head of security Peiter Zatko, accused the social network of violating the terms of a 2011 settlement with the Federal Trade Commission (FTC) by falsely claiming that it had a solid security plan.
Zatko states in the complaint he warned colleagues that half of the company’s servers were out-of-date and that executives withheld facts about the number of breaches and lack of protection of user data. Directors were given “rosy charts” measuring unimportant changes, Zatko alleges.
“Twitter is grossly negligent in several areas of information security,” Zatko said in the complaint, per the Washington Post. “If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.”
Twitter fell more than 7% on the stock market Tuesday after the news came out.
“It’s important to preface all of this by saying none of these accusations have been confirmed, but if they are true, they are very problematic for the company,” said NewsNation business contributor Lydia Moynihan.
Filed last month with the Securities and Exchange Commission and Department of Justice, as well as the FTC, the complaint details how thousands of employees had wide-ranging and poorly tracked internal access to core company software. The Washington Post reports this allowed hackers to access accounts belonging to Tesla CEO Elon Musk, as well as former presidents Barack Obama and Donald Trump,
In addition, Zatko’s complaint accuses Twitter CEO Parag Agrawal of lying when he said the company was “strongly incentivized to detect and remove as much spam” as possible. Instead, Zatko said, Twitter prioritized user growth over reducing spam, as executives stood to get bonuses of as much as $10 million tied to getting an increase in daily users.
“Agrawal’s Tweets and Twitter’s previous blog posts misleadingly imply that Twitter employs proactive, sophisticated systems to measure and block spam bots,” the complaint says, according to The Washington Post. “The reality: mostly outdated, unmonitored, simple scripts plus overworked, inefficient, understaffed, and reactive human teams.”
Allegations about Twitter’s handling of spam accounts are at the core of Musk’s threats to walk away from buying the company for $44 billion.
Alex Spiro, an attorney representing Musk in his effort to back out of the deal to buy Twitter, said lawyers have issued a subpoena for Zatko. “We found his exit and that of other key employees curious in light of what we have been finding,” Spiro wrote in an email Tuesday.
Another damning accusation included in Zatko’s complaint is that Twitter knowingly allowed the Indian government to put its agents on the company payroll, where they had “direct unsupervised access to the company’s systems and user data.” Twitter was also heavily reliant on funding by Chinese entities, the complaint said, and there were concerns within Twitter that the company was providing information to them that would allow them to learn the identify and sensitive information of Chinese users who secretly use Twitter, which is officially banned in China.
A Twitter spokesperson told NewsNation in a statement that Zatko was fired in January of this year for “ineffective leadership and poor performance.”
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” the statement said. “Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Zatko, better known as Mudge, is a highly respected cybersecurity expert who first gained prominence in the 1990s and later worked in senior positions at the Pentagon’s Defense Advanced Research Agency and Google. He joined Twitter at the urging of then-CEO Jack Dorsey in late 2020.
He told the Post he felt “ethically bound” to come forward.
The U.S. Securities and Exchange Commission, Department of Justice and Federal Trade Commission declined to comment to the Post.
Shares of Twitter slid 4% Tuesday.
Rachel Cohen, a spokesperson for the U.S. Senate’s intelligence committee, said it received Zatko’s complaint and is “in the process of setting up a meeting to discuss the allegations in further detail.”
“We take this matter seriously,” she said.
Sen. Dick Durbin, (D-Illinois) said if Zatko’s claims are accurate, they may “show dangerous data privacy and security risks for Twitter users around the world.”
This story is developing. Refresh for updates.