“Twitter has seemingly neglected security for far too long, and with all the changes, there’s certainly a risk,” said David Kennedy, CEO of incident response firm TrustedSec, who previously worked at the NSA. and with the United States Marine Corps. signal intelligence unit. “There’s a lot of work to be done to stabilize and secure the platform, and there’s obviously an increased risk from an insider malicious perspective because of all the changes that are happening. Over time, the probability of an incident decreases, but the security risks and technology debt are still there.”
A Twitter breach can expose the company or users in a myriad of ways. Of particular concern would be an incident that endangers users who are activists, dissidents or journalists under a repressive regime. With more than 230 million users, a Twitter breach would also have potentially far-reaching consequences for identity theft, harassment and other harm to users around the world. And from a government intelligence perspective, the data has already proven valuable enough over the years to motivate government spies to infiltrate companies, a threat that whistleblower Zatko said Twitter was not prepared to counter.
The company was already under scrutiny by the US Federal Trade Commission for past practices, and on Thursday, seven Democratic senators asked the FTC to investigate whether “reported changes in internal reviews and data security practices” in Twitter violated the terms of a 2011 settlement between Twitter and the FTC over the misuse of past data.
If a breach were to occur, the details would, of course, dictate the consequences for users, Twitter and Musk. But the outspoken billionaire may want to note that, in late October, the FTC issued an injunction against online delivery service Drizly along with personal sanctions against its CEO, James Cory Rellas, after the company exposed the data of about 2.5 million users. . The order requires the company to have stricter policies on deleting information and minimizing data collection and retention, while requiring Cory Rellas to do the same at any future company he works for.
Speaking at length about the current digital security threat landscape at the Aspen Cyber Summit in New York City on Wednesday, Rob Silvers, undersecretary for policy at the Department of Homeland Security, urged vigilance from companies and other organizations. “I wouldn’t get too complacent. We see enough attempted interventions and successful interventions every day that we are not letting our guard down one bit,” he said. “Protection matters, sustainability matters in this space.”
Dan Tentler, a founder of attack simulation and remediation firm Phobos Group, who worked on Twitter’s security from 2011 to 2012, points out that while the current chaos and understaffing within the company creates urgent potential risks, it can also present challenges for attackers who may have difficulty currently mapping the organization to target employees who are likely to have strategic access or control within the company. He adds, however, that the stakes are high because of Twitter’s scale and reach around the world.
“If there are insiders inside Twitter or someone breaches Twitter, there’s probably not much to stop them from doing whatever they want — you have an environment where there may not be many safeguards,” he says.
