Whistleblower accuses Twitter of putting ‘profits over security’

Peiter Zatko’s appearance before US Senate judiciary committee could affect Elon Musk’s legal battle

Peiter 'Mudge' Zatko, former head of security at Twitter, testifying before the US Senate judiciary committee on data security at Twitter on Tuesday. Photograph: Kevin Dietsch/Getty Images
Peiter 'Mudge' Zatko, former head of security at Twitter, testifying before the US Senate judiciary committee on data security at Twitter on Tuesday. Photograph: Kevin Dietsch/Getty Images

The former Twitter security chief central to Elon Musk’s attempt to back out of buying the social media company has accused its leadership of prioritising “profits over security”.

Peiter ‘Mudge’ Zatko said Twitter was “over a decade behind industry security standards” in an appearance before the US Senate judiciary committee. His testimony has opened up the social media company’s cybersecurity practices to scrutiny and could shape the future of Mr Musk’s high-stakes legal battle.

Mr Zatko, who was fired by Twitter in January and filed a whistleblower complaint to US authorities in early July, accused its executives of “misleading the public, lawmakers, regulators and even its own board of directors” over its security practices. The security lapses were so severe they threatened national security, he told legislators.

The accusations have been seized upon by Tesla co-founder Mr Musk, who is already suing Twitter to get out of his $44 billion (€44 million) agreement to buy the company, arguing that it underestimated and misled regulators on the number of bots on the platform.

READ MORE

Twitter shareholders voted on Tuesday to approve Mr Musk’s $44 billion takeover bid, according to a preliminary count.

In his opening statement, Senator Charles Grassley said Twitter chief executive Parag Agrawal had refused to attend the hearing, claiming it would “jeopardise the ongoing litigation” with Mr Musk. “If these allegations are true, I don’t see how Mr Agrawal can maintain his position at Twitter,” he added.

“Today’s hearing only confirms that Mr Zatko’s allegations are riddled with inconsistencies and inaccuracies,” a Twitter spokesperson said.

During the wide-ranging hearing, Mr Zatko, who has held senior cybersecurity positions at Google and the US department of defence, described Twitter as failing to address its cyber vulnerabilities as it lurched from crisis to crisis.

Staffers did not “know what data they have, where it lives” and “have too much access to too much data”, he said. He estimated that thousands of employees had access to users’ sensitive information and that of advertising clients.

He said he and others had raised such issues internally, but instead executives misled regulators about their compliance with a 2011 settlement with the Federal Trade Commission that ordered them to bolster their privacy and security practices.

“Key parts of leadership lacked the competency to understand the scope of the problem, but more importantly, their executive incentives led them to prioritise profits over security,” Mr Zatko added.

Legislators also homed in on Mr Zatko’s allegations that foreign intelligence agents were able to infiltrate the company, just weeks after a former Twitter employee was found guilty of passing personal information on Saudi dissidents from the platform to the country’s government.

Mr Zatko said the FBI had told Twitter that at least one Chinese government operative was on its payroll, but that it was struggling to log and track suspicious activity on its platform.

“They simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own,” he said. He added he learned that “thousands of failed attempts to access internal systems were happening per week, and nobody was noticing”.

He also claimed that Twitter had been pressured by the Indian government to place agents from the country inside the company.

Twitter’s lawyers said last week that in early 2022 Mr Zatko had raised concerns with senior executives that it was misleading its risk committee on cybersecurity matters. The company said that these concerns had been investigated internally and “found to be without merit”.

On Tuesday, a Twitter spokesperson said the company’s hiring process was independent of foreign influence and that it had adequate controls and detection systems to protect data.

Mr Zatko’s allegations promise to play a significant role in the October trial over Mr Musk’s takeover.

A Delaware judge agreed last week to consider his allegations as part of Mr Musk’s case after his team asserted that, if true, they would constitute fresh grounds to cancel the deal. Mr Zatko has also been subpoenaed by Mr Musk’s team to testify in October. — Copyright The Financial Times Limited 2022