Technology

Former Twitter security chief alleges vulnerabilities risk national security, privacy

A download screen for Twitter is arranged for a photograph on Friday, August 19, 2022.

Former Twitter security chief Peiter Zatko is alleging that the social media company has major security deficiencies that threaten privacy on the platform and national security more broadly, according to a whistleblower complaint obtained by CNN and The Washington Post

Zatko’s complaint reportedly alleges that Twitter made false claims about its security setup, violating a settlement with the Federal Trade Commission (FTC), and that the company’s leadership misled the government and its own board about the security issues. 

Some of the security issues allegedly leave the company vulnerable to disinformation, hacking and foreign spying, CNN reported.

The Post added that Zatko filed the complaint with the Securities and Exchange Commission, Department of Justice and the FTC last month, after warning Twitter colleagues about his security concerns.

“Twitter is grossly negligent in several areas of information security. If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics,” Zatko wrote in a company analysis included in the complaint as an exhibit, according to the newspaper.

Among several concerns, Zatko reportedly alleged that some of Twitter’s servers were operating outdated software, that many employees had internal access that could jeopardize user accounts and that the company had problems controlling spam on the platform. User data was also allegedly not properly erased after individuals deleted their accounts, according to the news outlets.

“Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” Sen. Chuck Grassley (R-Iowa), whose office has reportedly discussed the security complaints with Zatko, said in a statement to CNN and the Post. “The claims I’ve received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further.”

Zatko, identified as a hacker himself, was hired by Twitter in 2020.

A Twitter spokesperson in a statement stressed that security and privacy are top priorities at the company, adding that Zatko was fired months ago for “ineffective leadership and poor performance.”

“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” the spokesperson said. “Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”

The allegations from the whistleblower come as Elon Musk is trying to back out of his bid to buy the platform for $44 billion. The Tesla CEO is basing his push to terminate the deal on accusations that Twitter failed to provide information about the prevalence of fake or spam accounts on the platform. 

Twitter has denied Musk’s claims.

The case is set to go to trial in a Delaware court in October.

John Tye, founder of Whistleblower Aid, the group representing Zatko, told CNN that Zatko has not been in contact with Musk and began the whistleblower process before the indication of Musk’s involvement with the social media company. The group also represented Facebook whistleblower Frances Haugen when she came forward last year. 

“We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding,” Alex Spiro, an attorney for Musk, said.

Updated at 10:33 a.m.