Twitter’s data logging, access and controls are so lax that they practically invite exploitation by hackers, insider threats, disinformation agents and foreign spies, according to former chief information security officer and whistleblower Peiter “Mudge” Zatko .
In congressional testimony, Zatko, a well-known information security professional with a decades-long record of advocating for better security policies in the public and private sectors, said Tuesday that after joining Twitter as its CISO in November 2020 and spoke to engineers and employees, he realized the company was “more than a decade behind industry safety standards.”
In particular, Twitter’s data infrastructure is so decentralized that even executives don’t know all the data the company collects or where it’s stored. When he brought these concerns to Twitter’s leadership, he claimed that their incentive structure led them to prioritize “profits over security.”
“First, they don’t know what data they have, where they live, or where they came from, and surprisingly, they can’t protect them. That leads to the second problem: employees have to have a lot of access to a lot of data in a lot of systems,” Zatko told the Senate Judiciary Committee.
In addition, Twitter has repeatedly dealt with foreign governments bribing or enticing employees to hand over user data. In 2019, two employees were accused of acting as illegal foreign agents of Saudi Arabia, passing sensitive user data to critics and dissidents of the royal family in exchange for money, and Zatko said the company also engaged in at least one Chinese foreign agent inside. the company.
He also said that in his time as CISO, he observed at least one instance where a potential foreign agent from India was placed inside the company to gain access to information related to Twitter’s ongoing negotiations with Indian government officials over requests to ban certain accounts and content. He also recalled routinely seeing Twitter account credentials listed for sale on the dark web.
But the status quo at Twitter and the leadership’s preoccupation with growing and managing other public crises meant the company “simply lacked the basic skills to track down foreign intelligence agencies and take them out on its own.”
In the case of the Indian agent, he said he had to charge a small internal team to develop the protocols needed to track and monitor just one individual, a solution that isn’t scalable for Twitter’s larger employee base. The value of such access is so great and easy to gain that he assumed any foreign country that didn’t try to put agents inside the company wasn’t doing its job.
“From my understanding from people in [intelligence] community that focuses on foreign intelligence organizations and assets, if you put someone on Twitter…it would be very difficult for Twitter to find them, they would probably be able to stay there for a long period of time and to gain a significant amount of information to provide them with targeting people or information about Twitter’s decisions and discussions and about the direction of the company,” Zatko said.
When asked what data the company tends to collect about the average user, Zatko cited a user’s phone numbers, last IP address, other IP addresses, their current email, previous emails, where they think the user live, where they are currently connecting from. , what language they speak, the type of device they are connected to, their web browser and possibly their computer type.
Twitter executives have denied Zatko’s claims, and after his whistleblower complaint went public, a company spokesman said he was fired in January for “ineffective leadership and poor performance.” According to the Wall Street Journal, the company paid Zatko $7 million in a settlement before he filed his complaint. Questions and a request for comment sent to Twitter’s press office were not immediately returned.
Committee Chairman Dick Durbin, D-Ill., said Twitter’s infrastructure is too important to leave user data insecure, comparing it to customers giving their money to a bank which then leaves the safe “open”. He referred to a widely reported 2020 incident where two young hackers phished Twitter employees over the phone, posing as IT support to gain administrative access that allowed them to take over a number of Twitter profile accounts. high, including then-presidential candidate Joe Biden, former President Barack Obama, Elon Musk, Michael Bloomberg and others.
The potential for harm, Durbin argued, could have been much greater.
“We’ve already seen what can happen when small-time hackers break into Twitter accounts belonging to government officials, but what if the next time it’s not two teenagers trying to pull off a crypto scam?” Durbin said. “Imagine if it’s a malicious hacker or a hostile foreign government that gets into the President’s Twitter account, or sends out false information claiming there’s a terrorist attack in one of our cities? We could see widespread panic.”
The failure to protect user information was already the subject of a 2011 consent decree the company agreed to with the Federal Trade Commission. However, Zatko said FTC enforcement (usually in the form of one-time fines) is seen as toothless compared to regulations from other countries, such as France, and his testimony showed that the company has not introduced the necessary safeguards to prevent a similar attack from success in the future.
“It is not in vain to say that one employee in the company can take over the accounts of all the senators in this chamber,” he said. “Given the real harm to users and national security, I decided it was necessary to take on the professional and personal risk to myself and my family to become a whistleblower.
