Peiter Zatko, Twitter’s former head of security, filed a complaint against his former employer last month, claiming he “uncovered extreme, egregious deficiencies by Twitter in every area of his mandate.”
Then-CEO Jack Dorsey hired Zatko, a hacker known as “Mudge,” in July 2020 after teenagers hacked Twitter.
Dorsey resigned in November 2021. Parag Agrawal took over as CEO.
Then, in December, Zatko “began the lawful disclosure process and exhausted internal channels before contacting law enforcement agencies.”
Twitter fired Zatko in January for supposed “poor performance.”
From The Washington Post (Archive Link):
Twitter executives deceived federal regulators and the company’s own board of directors about “extreme, egregious deficiencies” in its defenses against hackers, as well as its meager efforts to fight spam, according to an explosive whistleblower complaint from its former security chief.The complaint from former head of security Peiter Zatko, a widely admired hacker known as “Mudge,” depicts Twitter as a chaotic and rudderless company beset by infighting, unable to properly protect its 238 million daily users including government agencies, heads of state and other influential public figures.Among the most serious accusations in the complaint, a copy of which was obtained by The Washington Post, is that Twitter violated the terms of an 11-year-old settlement with the Federal Trade Commission by falsely claiming that it had a solid security plan. Zatko’s complaint alleges he had warned colleagues that half the company’s servers were running out-of-date and vulnerable software and that executives withheld dire facts about the number of breaches and lack of protection for user data, instead presenting directors with rosy charts measuring unimportant changes.
Other complaints include:
Zatko further alleges that Twitter’s leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk’s attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk’s claims).
Zatko also alleges that Twitter “prioritized user growth over reducing spam, though unwanted content made the user experience worse.” Executives could win bonuses “as much as $10 million tied to increases in daily users.” They received nothing “for cutting spam.”
Zatko’s complaint is kind to Dorsey but depicts “him as extremely disengaged in his final months leading Twitter — so much so that some senior staff even considered the possibility he was sick.”
The complaint is harsh towards Agrawal, who fired the security head two months after taking over as CEO:
According to the disclosure, Agrawal and his lieutenants repeatedly discouraged Zatko from providing a full accounting of Twitter’s security problems to the company’s board of directors. The company’s executive team allegedly instructed Zatko to provide an oral report of his initial findings on the company’s security condition to the board rather than a detailed written account, ordered Zatko to knowingly present cherry-picked and misrepresented data to create the false perception of progress on urgent cybersecurity issues, and went behind Zatko’s back to have a third-party consulting firm’s report scrubbed to hide the true extent of the company’s problems.
Whistleblower Aid, an organization that helps protect whistleblowers, helped Zatko file his claim to the Securities and Exchange Commission (SEC) last month.
The organization cannot discuss anything but praise Zatko:
“Twitter has an outsized influence on the lives of hundreds of millions around the world, and it has fundamental obligations to its users and the government to provide a safe and secure platform,” said Libby Liu, CEO of Whistleblower Aid. “It has taken the courage of a high-level whistleblower with an impeccable reputation for ethics and integrity for law enforcement agencies, and the public, to learn the truth.”—John Tye, Whistleblower Aid’s Chief Disclosure Officer, said:“Mudge is a hero, stepping forward at real personal risk to ensure that law enforcement agencies have the ground truth about what’s happening inside Twitter. The agencies should investigate these disclosures quickly, and if warranted by the evidence, bring enforcement actions.”
WaPo and CNN reached out to Twitter for comments and answers. It seems both outlets received the same vanilla statement. From CNN:
In a statement, a Twitter spokesperson told CNN that security and privacy are both longtime priorities for the company. Twitter also said the company provides clear tools for users to control privacy, ad targeting and data sharing, and added that it has created internal workflows to ensure users know that when they cancel their accounts, Twitter will deactivate the accounts and start a deletion process. Twitter declined to say whether it typically completes the process.”Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” the Twitter spokesperson said. “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Zatko’s complaint could help Elon Musk in his fight against Twitter. Musk is trying to back out of a deal to purchase Twitter, accusing the company “of lying about the number of spam bots on its platform.”
CLICK HERE FOR FULL VERSION OF THIS STORY