Whistleblower accuses Twitter of cybersecurity negligence

Aug 22, 2022, 6:46 PM | Updated: Aug 23, 2022, 6:40 pm
FILE - The Twitter application is seen on a digital device, Monday, April 25, 2022, in San Diego.  ...

FILE - The Twitter application is seen on a digital device, Monday, April 25, 2022, in San Diego. A former head of security at Twitter has filed whistleblower complaints with U.S. officials, Tuesday, Aug. 23, 2022, alleging that the company misled regulators about its cybersecurity defenses and its problems with fake accounts, according to reports by the Washington Post and CNN. Peiter Zatko, Twitter's security chief until he was fired early this year, filed the complaints last month with the U.S. Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice. (AP Photo/Gregory Bull, File)

(AP Photo/Gregory Bull, File)

Twitter’s former head of security alleged that the company misled regulators about its poor cybersecurity defenses and its negligence in attempting to root out fake accounts that spread disinformation, according to a whistleblower complaint filed with U.S. officials.

The revelation could create serious legal and financial problems for the social media platform, which is currently attempting to force Tesla CEO Elon Musk to consummate his $44 billion offer to buy the company. Several members of Congress on Tuesday called on regulators to investigate the claims.

Peiter Zatko, who served as Twitter’s security chief until he was fired early this year, filed the complaints last month with the U.S. Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice. The legal nonprofit Whistleblower Aid, which is working with Zatko, confirmed the authenticity of a redacted copy of the complaint posted online by the Washington Post.

“This was a last resort for him,” said John Tye, the group’s co-founder and chief disclosure officer, in an interview Tuesday. He said Zatko exhausted all attempts to get his concerns resolved inside the company before his firing in January.

Among Zatko’s most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users. Zatko also accuses the company of deceptions involving its handling of “spam” or fake accounts, an allegation that is at the core of Musk’s attempt to back out of the Twitter takeover.

Shares of Twitter Inc. closed down more than 7% Tuesday.

Better known by his hacker handle “Mudge,” Zatko is a highly respected cybersecurity expert who first gained prominence in the 1990s and later worked in senior positions at the Pentagon’s Defense Advanced Research Agency and Google.

He joined Twitter at the urging of then-CEO Jack Dorsey in late 2020, the same year the company suffered an embarrassing security breach involving hackers who broke into the Twitter accounts of world leaders, celebrities and tech moguls, including Musk, in an attempt to scam their followers out of bitcoin.

Twitter said in a prepared statement Tuesday that Zatko was fired for “ineffective leadership and poor performance” and said the “allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.” The company called his complaint “a false narrative” that is “riddled with inconsistencies and inaccuracies and lacks important context.”

Zatko’s attorneys, Debra Katz and Alexis Ronickher, said Twitter’s claim about his poor performance is false and that he repeatedly raised concerns about “grossly inadequate information security systems” with top executives and Twitter’s board of directors. The lawyers said that in late 2021, after the board was given “whitewashed” information about those security problems, Zatko escalated his concerns, “clashed” with CEO Parag Agrawal and board member Omid Kordestani and was fired two weeks later.

The 84-page complaint describes a broken corporate culture at Twitter that lacked effective leadership and where Zatko said top executives practiced “deliberate ignorance” of pressing problems. His description of Dorsey’s leadership style is particularly scathing; he described the Twitter founder as “extremely disengaged” during the last months of his tenure as CEO to the point where he would not even speak during meetings on complex issues facing the company.

Zatko said he heard from colleagues that Dorsey would remain silent for “days or weeks.” Dorsey announced he was stepping down as Twitter CEO in November 2021.

The disclosure says Twitter offered no monetary incentives for improving security and platform integrity, although the company did offer $10 million bonuses last year for top executives who could generate short-term user growth.

Among Zatko’s accusations of cybersecurity malpractice: Software and security updates were disabled on more than a third of employees’ computers — unduly exposing them to malware — and it was common for people to install “whatever software they wanted on their work systems.” Such lapses are typically considered cardinal sins in cybersecurity.

Whistleblower Aid said it is legally precluded from sharing Zatko’s statement. The same group worked with former Facebook employee Frances Haugen, who testified to Congress last year after leaking internal documents and accusing the social media giant of choosing profit over safety.

“I wouldn’t say he’s happy about having to become a whistleblower, but he’s resolute in his decision,” Tye said. “And committed to getting to the bottom of this.”

A spokesperson for the U.S. Senate’s intelligence committee, Rachel Cohen, said the committee has received Zatko’s complaint and is working to set up a meeting “to discuss the allegations in further detail. We take this matter seriously.”

Sen. Dick Durbin, an Illinois Democrat, said in a prepared statement that if the claims are accurate, “they may show dangerous data privacy and security risks for Twitter users around the world.”

Among the most alarming complaints is Zatko’s allegation that Twitter knowingly allowed the Indian government to place its agents on the company payroll where they had “direct unsupervised access to the company’s systems and user data.”

A 2011 FTC complaint noted that Twitter’s systems were full of highly sensitive data that could allow a hostile government to find precise location data for specific users and target them for violence or arrest. Earlier this month, a former Twitter employee was found guilty after a trial in California of passing along sensitive Twitter user data to royal family members in Saudi Arabia in exchange for bribes.

The complaint said Twitter was also heavily reliant on funding by Chinese entities and that there were concerns within Twitter that the company was providing information to those entities that would enable them to learn the identify and sensitive information of Chinese users who secretly use Twitter, which is officially banned in China.

Zatko also describes willful ignorance by Twitter executives on counting the millions of accounts that are automated “spam bots” or otherwise have no value to advertisers because there is no person behind them. Zatko cited a “damning” 2021 outside report that found Twitter’s tools for tackling bots were neither sufficiently automated or sophisticated and instead relied on humans “not adequately staffed or resourced, to address the misinformation and disinformation problem.”

Alex Spiro, an attorney representing Musk in his effort to back out of his Twitter acquisition deal, said lawyers have issued a subpoena for Zatko. “We found his exit and that of other key employees curious in light of what we have been finding,” Spiro wrote in an email Tuesday. Spiro said Zatko and Musk have not been in contact at any time this year.

Tye said “he’s never met Elon Musk. Doesn’t know Elon Musk. They know people in common.” Asked if mutual friends could have shared information about Twitter’s bot problems with Musk, Tye said Zatko “has not communicated with any other party about his disclosures” since filing the complaints in July.

—-

AP writers Tom Krisher and Marcy Gordon contributed to this report.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

AP

Photo from Flickr...
Associated Press

Respite center opens to families of those who died in combat

A respite center for families in the United States who have lost loved ones in combat since 9/11 will open Friday on Washington state’s Olympic Peninsula.
14 hours ago
Downtown Vancouver Washington Photo from Flickr...
Associated Press

Vancouver City Council bans large fossil fuel facilities

The city council in Vancouver, Washington, has approved a permanent ban on new fossil fuel developments after years of temporary moratoriums.
14 hours ago
FILE - Arizona Republican U.S. Senate candidate Blake Masters speaks to supporters at a campaign pa...
Associated Press

Arizona Senate debate gives Masters a chance to reset race

PHOENIX (AP) — Republican Blake Masters has a much-needed chance Thursday night to reset his Arizona Senate race against Democratic Sen. Mark Kelly in the campaign’s only televised debate. Kelly is coming in from a position of strength, with a small lead in polling and a commanding advantage in fundraising that has allowed him and […]
14 hours ago
The MercyOne Des Moines Medical Center campus is seen, Thursday, Oct. 6, 2022, in Des Moines, Iowa....
Associated Press

Hospital chain attack part of ongoing cybersecurity concerns

CHICAGO (AP) — Diverted ambulances. Cancer treatment delayed. Electronic health records offline. These are just some of ripple effects of an apparent cyberattack on a major nonprofit health system that disrupted operations throughout the U.S. While CommonSpirit Health confirmed it experienced an “IT security issue” earlier this week, the company has remained mum when pressed […]
14 hours ago
FILE - Sen. Ben Sasse, R-Neb., listens during a confirmation hearing for Supreme Court nominee Ket...
Associated Press

Nebraska senator sole finalist for U. of Florida president

WASHINGTON (AP) — Nebraska Sen. Ben Sasse is the sole finalist to become the president of the University of Florida, the school said Thursday, and the Republican senator has indicated that he will take the job. That means he could resign in coming weeks. The school said in a statement that its presidential search committee […]
14 hours ago
Associated Press

How major US stock indexes fared Thursday 10/6/2022

Stocks closed lower again on Wall Street but still managed to hold on to sizable gains for the week. The S&P 500 fell 1% Thursday. The Dow Jones Industrial Average lost a bit more than 1% and the Nasdaq gave back 0.7%. Bond yields moved higher. Investors were reviewing the latest data on jobs. More […]
14 hours ago

Sponsored Articles

Anacortes Christmas Tree...

Come one, come all! Food, Drink, and Coastal Christmas – Anacortes has it all!

Come celebrate Anacortes’ 11th annual Bier on the Pier! Bier on the Pier takes place on October 7th and 8th and features local ciders, food trucks and live music - not to mention the beautiful views of the Guemes Channel and backdrop of downtown Anacortes.
Swedish Cyberknife Treatment...

The revolutionary treatment of Swedish CyberKnife provides better quality of life for majority of patients

There are a wide variety of treatments options available for men with prostate cancer. One of the most technologically advanced treatment options in the Pacific Northwest is Stereotactic Body Radiation Therapy using the CyberKnife platform at Swedish Medical Center.
Work at Zum Services...

Seattle Public Schools announces three-year contract with Zum

Seattle Public Schools just announced a three-year contract with a brand-new company to the Pacific Northwest to assist with their student transportation: Zum.
Swedish Cyberknife 900x506...

June is Men’s Health Month: Here’s Why It’s Important To Speak About Your Health

According to the Centers for Disease Control and Prevention, men in the United States, on average, die five years earlier than women.
...

Anacortes – A Must Visit Summertime Destination

While Anacortes is certainly on the way to the San Juan Islands (SJI), it is not just a destination to get to the ferry… Anacortes is a destination in and of itself!
...

Ready for your 2022 Alaskan Adventure with Celebrity Cruises?

Celebrity Cruises SPONSORED — A round-trip Alaska cruise from Seattle is an amazing treat for you and a loved one. Not only are you able to see and explore some of the most incredible and visually appealing natural sights on the planet, but you’re also able to relax and re-energize while aboard a luxury cruise […]
Whistleblower accuses Twitter of cybersecurity negligence