Accusations from a former Twitter Inc. executive that the social network had lax data protections have sparked concerns among lawmakers and cyber experts that the alleged vulnerabilities pose a threat to national security.
The whistle-blower complaint from former security chief Peiter Zatko, known by the nickname “Mudge,” flagged to US authorities what he described as “egregious deficiencies” in the social media company’s ability to fend off attackers.
The most damning claims from Zatko, who was fired earlier this year for what Twitter described as poor performance, suggest the company relied on outdated software and that executives failed to understand the level of access that employees had to user accounts. In addition, Zatko suggested that Twitter is vulnerable to espionage from foreign governments and that some employees may be working for government intelligence agencies.
“These allegations could have serious national security, privacy and election security implications and must be aggressively investigated,” Representative John Katko, a Republican from New York, said in a statement.
In perhaps the most remarkable claim, Zatko said that roughly half the company’s workforce had deep access to Twitter’s controls, a situation that would give insiders the ability to manipulate the site or access user information with little or no oversight. In an interview with the Washington Post—which, along with CNN, first reported on the whistle-blower disclosures—Zatko expressed concern that such a vulnerability could have given a Twitter employee who sympathized with Jan. 6, 2021, insurrectionists the ability to somehow go rogue.
“If it is true, as alleged by Zatko, that Twitter does not have structural controls in place to prevent or detect cybersecurity incidents of the insider threat variety, then Twitter is currently a far more profound national security risk to the United States than TikTok could ever hope to be,” said Jackie Singh, who worked as a senior cybersecurity staffer for Joe Biden’s presidential campaign. “This should be alarming to the thousands of democracy-supporting people and institutions who rely on Twitter to inform and connect us.”
Twitter also knowingly hired Indian government agents who would have had unsupervised access to “vast amounts of Twitter’s sensitive data,” according to the complaint. Furthermore, according to Zatko, the company misrepresented on its transparency reports that it knew Indian government representatives were on the company’s payroll.
The charge comes two weeks after a US court finding a former Twitter employee guilty of spying for Saudi Arabia by gathering personal information about people who used anonymous profiles to criticize the kingdom and its royal family.
In a statement to Bloomberg News on Tuesday, Twitter disputed the details in Zatko’s complaint without pointing to specific inaccuracies.
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” the San Francisco-based company said.
John Tye, a representative for Zatko at the legal organization Whistleblower Aid, said the former executive stands by everything in the disclosure. “His career of ethical and effective leadership speaks for itself,” Tye said. “The focus should be on the facts laid out in the disclosure, not ad hominem attacks.”
Zatko also suggested that more than half of the 500,000 servers at the company were running operating systems that were outdated—to the point that they failed to support basic privacy and security features. While the redacted complaint doesn’t specify the nature of the software or security flaws in question, hackers often leverage older software to infiltrate organizations.
“The biggest red flag is that, according to the complaint, Twitter has remained complicit in lax cybersecurity practices without a shred of transparency,” said Tom Kelly, a member of the board at the cyber firm ZeroFox Holdings Inc.
(Except for the headline, this story has not been edited by NDTV staff and is published from a syndicated feed.)