Twitter’s data security practices are at least a decade behind industry standards and the company’s leadership doesn’t seem willing to put in the necessary effort to improve its defenses, Peiter Zatko, Twitter’s former head of security, told lawmakers during a congressional hearing today (Sept. 13).
Zatko, also known by his online handle “Mudge,” testified before the Senate Judiciary Committee today about a set of complaints he filed with regulators in July alleging Twitter lied to the U.S. government regarding its security practices and failed to protect user information.
Zatko was hired by former Twitter CEO Jack Dorsey in November 2020 to oversee the social media company’s security. He was fired in January this year after Parag Agrawal was promoted to CEO to replace Dorsey.
During his time at Twitter, Zatko said he discovered that “this enormously influential company was over a decade behind” industry security standards. “They don’t know what data they have, where it lives, or where it comes from. So, unsurprisingly, they can’t protect it,” he said.
He cited an internal study conducted by Twitter engineers which found the company doesn’t understand about 80 percent of the data it collects, how it’s supposed to be used and when it’s supposed to be deleted.
“This leads to the second problem, which is that the employees then have to have too much access to too much data in too many systems,” Zatko said. “You can think of it this way: it doesn’t matter who has keys if you don’t have any locks on the doors.”
Twitter is a “gold mine” for bad actors
Zatko said Twitter neither has a centralized system that logs activities on its platform nor an environment for testing new softwares before they go live—which are rare in the tech industry. These loopholes could make Twitter “a gold mine” for bad actors, such as foreign spies, said Zatko, who was an intelligence officer at the Department of Defense before joining Twitter.
The company’s management structure also fails to encourage engineers to report problems and bad behavior, Zatko added. “There was a culture of not reporting bad results up, but only reporting good results up. You were rewarded based upon…how you perform in an emergency, not for identifying existing problems and doing the groundwork and keeping the lights on.”
Twitter could not be reached for comment on Zatko’s testimony. The company has previously said allegations in Zatko’s regulatory complaints were riddled with inaccuracies and inconsistencies.
Also today, Twitter shareholders voted to approve Elon Musk’s $44 billion acquisition of the social media company—a deal Musk now wants to walk away from.
Musk, who is in a legal battle with Twitter over the acquisition, appeared to be entertained by the hearing. He tweeted a popcorn emoji this morning while the hearing was live steamed.
Musk recently obtained a court’s approval to introduce Zatko’s complaints to his countersuit against Twitter for violating their merger agreement. He and Twitter are scheduled to face off in Delaware’s Chancery Court for a five-day trial starting October 17.
🍿
— Elon Musk (@elonmusk) September 13, 2022
After the hearing, Zatko said through his attorney he hopes his testimony today “has helped educate the public about just how dire the security and privacy situation is at Twitter and how impacted we all are by these failures.”