: Twitter whistleblower tells Congress the company was ’10 years behind’ industry security standards

This post was originally published on this site

Twitter Inc. was “10 years behind” industry security standards and had little grasp of the vast troves of data it collected, whistleblower Peiter “Mudge” Zatko claimed in devastating testimony before the Senate on Tuesday.

“They don’t know what data they have, where it lives, and they don’t know how to protect it,” Zatko, who led the company’s information security approach, said in testimony before the Senate Judiciary Committee.

Upon joining Twitter
TWTR,
+0.80%

in late 2020, Zatko said he discovered “this enormously influential company was over a decade behind” industry standards and when he raised concerns about security vulnerabilities to company executives, they failed to act.

Chief among his concerns: The company’s unwillingness to remove a foreign agent on Twitter’s payroll in a foreign office. “There were thousands of failed attempts to access internal systems that were happening per week and nobody was noticing,” he said, because of the lack of logging of how its internal systems were being used.

Earlier this year, a Saudi national who worked for Twitter was convicted by a federal jury for stealing the personal data of dissidents who criticized the Saudi regime and handing the data over to the Saudi government.

Equally galling, Zatko cited an internal study conducted by engineers. It found for only about 20% of the data Twitter collects, did it know “why they got it, how it was supposed to be used, when it was supposed to be deleted.”

In November 2020, Twitter
TWTR,
+0.80%

hired Zatko — who previously worked at the Pentagon, a Google
GOOGL,
-5.90%

GOOG,
-5.86%

division, and fintech firm Stripe — to fortify cybersecurity and privacy at the company following a high-profile hack allegedly spearheaded by a Florida teenager in July 2020 that compromised the Twitter accounts of some of the most famous people on the planet, including then-presidential candidate Joe Biden.

“It’s not far fetched to say a Twitter employee could take over the accounts of all of the senators in this room,” warned Zatko, who identified instances where foreign governments, including China, sought access to Twitter’s user data through various coercive methods.

The damaging testimony, which underscored a seeming unwillingness or indifference by Twitter leaders such as co-founder Jack Dorsey and the board of directors to address Zatko’s concerns, prompted calls by senators to restructure Twitter.

“I don’t see how [Twitter Chief Executive Parag] Agrawal can maintain his position at Twitter” if Zatko’s claims are accurate, Sen. Charles Grassley, R-Iowa, said. Agrawal did not accept an invitation to testify, Grassley added, because Twitter was concerned his testimony could jeopardize the company’s ongoing litigation with billionaire Elon Musk to acquire the company. Musk is attempting to back out of the $44 billion deal, which goes to Delaware Court of Chancery in October.

Zatko could also find himself at the center of renewed regulatory scrutiny of Twitter, as was the case after Frances Haugen blew the whistle on then-Facebook nearly a year ago. The company has since been renamed Meta Platforms Inc.
META,
-9.37%

and is being sued by the Federal Trade Commission to block its planned purchase of virtual reality firm Within.

“Zatko’s allegation that Twitter was more concerned about foreign regulators than the FTC could be a wakeup call for U.S. lawmakers,” Insider Intelligence principal analyst Jasmine Enberg said.

“I did not make my whistleblower disclosures out of spite or to harm Twitter; far from that. I continue to believe in the mission of the company and root for its success,” Zatko told lawmakers on Tuesday. “But that success can only happen if the privacy and security of Twitter’s users and the public are protected.”

“Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” a Twitter spokesperson told MarketWatch on Tuesday.

The company’s hiring process is independent of any foreign influence and access to data is managed through measures including background checks, access controls, and monitoring and detection systems and processes, according to a company representative.

Zatko was fired for “ineffective leadership and poor performance,” Agrawal wrote in an email to employees, calling the disclosures a “false narrative that is riddled with inconsistencies and inaccuracies” and presented out of context.

Twitter shares were up more than 2% on a day when the company’s shareholders voted to approve its $44 billion sale to Tesla Inc.
TSLA,
-4.04%

CEO Musk, who is now attempting to back out of the deal.