Twitter Has Major Security Problems Says Whistleblower

Twitter hasn’t been having a good time lately. Largely due to Elon Musk and his attempt to buy the platform which is now in court. But it’s about to get a whole lot worse.

Twitter has major security problems that pose a threat to its own users’ personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post. 

The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.

Well, that sounds delightful. Which is a backhanded way of saying O.M.G. But here’s the plot twist. The whistleblower not only has a name, his disclosure could factor into the lawsuit that is currently going on between Musk and Twitter:

The whistleblower, who has agreed to be publicly identified, is Peiter “Mudge” Zatko, who was previously the company’s head of security, reporting directly to the CEO. Zatko further alleges that Twitter’s leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk’s attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk’s claims).

The part about the bots is important as that’s Musk’s number one reason for backing out of the deal to buy Twitter, which in turn led to the lawsuit. And pretty much everything else that Zatko is claiming is sure to get the attention of governments around the world. All of whom will be asking Twitter some very tough questions. I hope they have their answers queued up. And I hope they’re better than this:

In a statement, a Twitter spokesperson told CNN that security and privacy are both longtime priorities for the company. Twitter also said the company provides clear tools for users to control privacy, ad targeting and data sharing, and added that it has created internal workflows to ensure users know that when they cancel their accounts, Twitter will deactivate the accounts and start a deletion process. Twitter declined to say whether it typically completes the process. 

“Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago,” the Twitter spokesperson said. “While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.”

Those are talking points Twitter. What you need to do is to show everyone that everything that he says isn’t true. You might as well do it now. Because I guarantee that you’ll be made to do it by the EU or the US among others.

Take it from me. Twitter is about to have a very bad day.

UPDATE: Kevin Novak, Managing Director of Cybersecurity, Breakwater Solutions had this comment:

     “Whether you cut your teeth on Mainframes or Commodores, Windows or Solaris, there is no doubt you know the name “Mudge”, his reputation precedes him across the globe from technologists to hackers alike.  He’s known for not only his technological and security knowhow, but also his appreciation for what is, and more importantly is not, a material cyber threat.  It should come as no surprise then, why security practitioners around the world are challenging Twitter’s allegation that Peiter “Mudge” Zatko was let go for poor performance, and not his act of openly painting a less than stellar picture of Twitter’s cyber practices to his Board of Directors in defiance of his management’s wishes.

The role of the Chief Information Security Officer (CISO) has changed considerably over the last decade, as it has been thrust out of the back room and into the board room.  CISOs today are challenged with wearing an array of differing functional hats that range from Legal to Marketing, to Technology, to Physical Security, to Privacy and Compliance, to Human Resources.  They are required to speak the most technical language when managing in the trenches and shift on a dime to provide cyber risk and financial loss analysis to Board Members.  Further, CISOs have now been thrust into the world of personal accountability with threats of prosecution when they don’t do ENOUGH to force cyber change internally, like that of former Uber CISO, Joe Sullivan, who was recently charged with obstruction by US Prosecutors.  While I’m certainly not in position to comment on whether Joe Sullivan acted inappropriately, the challenge for most CISOs when it comes to reporting major concerns, is that most CISOs only have a perceived degree of independence.  

The fact is, most CISOs go out of their way to shine a light on those insecurities that threaten an organization and its clients, and good CISOs even craft their message in terms that business executives understand: the potential for Lawsuits, Financial Fraud, Damage to Reputation, Loss of Operations, Government Sanctions, and Regulatory Scrutiny to name a few.  But bringing those messages to your manager, Sr. Executives, or the CEO is very different than answering openly and transparently to Board of Directors; particularly when you’ve been discouraged from doing so by your management team.  Speaking candidly, openly, and transparently to the board is often considered “career limiting” and you’ll often hear CISOs use language like: “I’m aligned with my manager, and we’re working through any challenges we’ve encountered”.  So CISO’s often have to choose between evils when facing the dissonance of knowing that their firm is acting recklessly: They can quit, speak openly and honestly–then face termination for not being a team player or more likely for “poor performance”, or Whistle blow.  None of these options is very appealing to the CISO, as each is profoundly impactful on their professional career, but they are issues that CISOs around the world face regularly.  It’s the reason that many regulators and regulatory doctrine have begun encouraging more independence for the CISO, reporting to the Board or CEO directly and not though a litany of management that might change their message before it can be heard by those who hold a fiduciary duty for protecting not only their own firm, but that of the public at large.

Time will tell when it comes to the case of Twitter vs. Mudge, but our hope is that the bad practices it elucidates brings positive change to the industry and helps CISOs going forward.”

Leave a Reply

%d bloggers like this: