Whistleblower Zatko to Senate: Twitter misleads public, has security issues

A former Twitter executive turned whistleblower appeared before the Senate Judiciary Committee and said that the company is misleading the public, lawmakers, regulators and even its own board of directors. Peiter “Mudge” Zatko, Twitter’s former head of security, also said the social media company is more than a decade behind industry security standards putting users’ personal information at risk to hackers.

“It’s not far-fetched to say an employee could take over the accounts of all the senators in this room,” Zatko said during the hearing.

According to Zatko’s testimony, there is also an internal risk from employees who have far too much access to user data. Approximately 4,000 employees, about half of the total, have access to personal data.

“Twitter leadership has refused to make the tough but necessary changes to create a secure platform. Instead, Twitter leadership has repeatedly covered up its security failures by duping regulators and lying to users and investors,” Zatko said.

As an example, Zatko said another C-suite executive asked him to check into a user they thought posed a risk. Zatko said he asked a staff member to look into the user, and the staffer figured out the user’s name, address and current location in ten minutes.

Zatko also described a company that prioritizes profits over security. He testified that Twitter breaks its own policy by allowing organizations associated with the Chinese government to advertise on the site, which could put user information at risk.

“The executive in charge of sales very shortly after I joined said, ‘Mudge, this is a big internal conundrum because we’re making too much money from these sales. We’re not going to stop. We need something that will make the employees feel comfortable with the fact that we’re doing this’,” Zatko told the committee.

.@SenJohnKennedy: "Half of all the engineers, and half the employees at Twitter, have access to Sen. @ChuckGrassley account, is that correct?"

Peiter "Mudge" Zatko: "Based on what I saw, technically, yes." pic.twitter.com/fmKflEgc17

— CSPAN (@cspan) September 13, 2022

Ahead of the hearing, Chairman Dick Durbin, D-Ill., and Ranking Member Chuck Grassley, R-Iowa, sent a letter to Twitter’s CEO, Parag Agrawal, requesting more information about Twitter’s data protection policies.

The letter cited a Twitter employee who was convicted last month of working as an unregistered foreign agent for the Kingdom of Saudi Arabia. The defendant accepted payments in exchange for accessing and providing the private information of Twitter users to members of the Saudi Royal family and other Saudi officials.

The letter also asked Agrawal to address an accusation that the company misled the FTC about deleting the data of people who left the site and the number of access control related security incidents that have occurred over the last two years.

Agrawal was invited to testify but declined, stating testimony could impact Twitter’s ongoing litigation with Elon Musk.