Twitter whistleblower details allegations to lawmakers

Peiter "Mudge" Zatko appeared before the Senate Judiciary Committee.

September 13, 2022, 11:29 AM

A whistleblower on Tuesday detailed a slate of explosive allegations against Twitter to congressional lawmakers, describing what he said were widespread security failures and vulnerabilities at the popular social media giant and an effort inside the company to overlook those risks in order to keep the platform viable and profitable.

As Twitter's head of security, Peiter Zatko was a member of its executive team from late 2020 until he was fired earlier this year for alleged "ineffective leadership and poor performance" and Twitter has said he's out to harm the company.

He told lawmakers he arrived at Twitter and discovered the company "was over a decade behind industry security standards" and prioritized monetizing advertising at the expense of widespread security vulnerabilities.

"I'm here today because Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors," Zatko testified before the Senate Judiciary Committee. "The company's cybersecurity failures make it vulnerable to exploitation, causing real harm to real people and when an influential media platform can be compromised by teenagers, thieves and spies, and the company repeatedly creates security problems on their own -- this is a big deal for all of us."

Independent Security Consultant and Twitter Whistleblower Peiter "Mudge" Zatko swears in before testifying on Capitol Hill in Washington, D.C., Sept. 13, 2022.
Brendan Smialowski/AFP via Getty Images

Zatko said that Twitter executives overlooked data vulnerabilities because data is the genesis of its profits.

"The executive in charge of sales very shortly after I joined [said], 'This is a big internal conundrum, because we're making too much money from these sales are not going to stop. We need something that will make the employees more comfortable with the fact that we're doing this,'" Zatko said. "In a nutshell, it was, 'We're already in bed, it would be problematic if we lost that revenue stream, so figure out a way to make people comfortable with it.'"

Zatko also gave an illustrative example for senators, warning there are not safeguards in place to prevent a single Twitter employee from simultaneously taking control of every senator's verified Twitter account -- creating a national security emergency. He was hired shortly after several high-profile accounts were compromised.

"I discovered two basic issues. First, they don't know what data they have, where it lives, or where it came from, and so unsurprisingly, they can't protect it," Zatko testified. "And this leads to the second problem, which is the employees then have to have too much access to too much data and too many systems. You can think of it this way, which is it doesn't matter who has keys if you don't have any locks on the doors, and this kind of vulnerability is not in the abstract. It's not far-fetched to say that employee inside the company could take over the accounts of all of the senators in this room."

Peiter "Mudge" Zatko, former head of security at Twitter, testifies before the Senate Judiciary Committee on data security at Twitter, on Capitol Hill, Sept. 13, 2022 in Washington, D.C.
Kevin Dietsch/Getty Images

Last month, Zatko brought his allegations to Congress and federal regulators, contending that Twitter misled regulators about its cybersecurity capabilities and efforts to control millions of fake accounts. Becoming visibly emotional Tuesday, Zatko lamented the impact his decision to become a whistleblower has had on his reputation and his family.

"Given to the real harm given the real harm to users and national security, I determined it was necessary to take on the personal and professional risks to myself and to my family of becoming a whistleblower," he said, pausing to regain his composure. "I did not make my whistleblower disclosures out of spite or to harm Twitter."

After the allegations became public last month, the Senate Judiciary Committee subpoenaed Zatko to tesitfy, warning that his allegations "raise serious concerns" and potentially "show dangerous data privacy and security risks for Twitter users around the world."

Zatko was hired in 2020, reporting directly to then-Twitter CEO Jack Dorsey. His review of the platform contended that Twitter may currently have foreign intelligence agents on its payroll, among other alleged security vulnerabilities.

After learning of the scope of the spam accounts and other alleged security failures, billionaire Elon Musk has attempted to back out of a his $44 billion offer to acquire Twitter.

Twitter Inc.'s former security chief Peiter "Mudge" Zatko testifies before a Senate Judiciary Committee hearing on Capitol Hill in Washington, Sept. 13, 2022.
Evelyn Hockstein/Reuters

Senators bemoaned the absence of a Twitter representative after he said Dorsey's successor -- Twitter's current CEO Parag Agrawal -- declined an invitation to testify amid his case against Musk.

"Unfortunately, this committee will not be able to get answers," Sen. Charles Grassley, the ranking Republican said of Agrawal's absence. "He rejected this committee's invitation to appear by claiming that it would jeopardize Twitter ongoing litigations with Mr. Musk."

Related Topics