Peiter Zatko, a former head of security at Twitter, has accused the social media platform of “extreme, egregious deficiencies” when handling user-related information and spam bots in a scathing complaint registered by a whistleblower.
Peiter Zatko, a veteran hacker and security expert, also known as “Mudge,” said that the company is responsible for misleading its users, board committees, and the federal government about its strength related to security measures. Jack Dorsey, Co-founder and then CEO of Twitter, hired Zatko in 2020 to reinforce the company’s security as it faced a mass hack that targeted 130 high-profile Twitter accounts.
Zatko wrote in an analysis reported in February that Twitter has been completely careless in numerous areas of information security. He wrote the same analysis in the complaint as well, which additionally includes that if the company didn’t come up with a solution to these problems. The media, regulators, and the platform’s users would be stunned once they learned about the company’s extreme lack of information security basics.
Zatko filed the complaint to the Federal Trade Commission (FTC) and, the US Securities and Exchange Commission (SEC), the Department of Justice against Twitter, as reported on the 23rd morning of August. The censored version of this complaint has been forwarded to several congressional committees.
The filing claims that the social media platform violated its 2011 settlement with the FTC, where Twitter said that it aims to develop a security plan with broad aspects to look after the personal information of its users. According to Zatko, user data is already at risk of hacking, including a user’s personal details and some of the platform’s most high-profile verified handles.
Zatko raised a particular issue related to access to the company’s core software that its workforce has; according to those in the know, these accounts have low security and are at a high risk of being hacked. He also alleged that around 30% of Twitter’s laptops automatically blocked updates, which generally contain security fixes.
In addition, he blamed Twitter executives for not being truthful to the company’s board of directors about all of these vulnerabilities that Twitter is dealing with. A presentation to the board’s risk committee late last year showed that 92% of employee systems had security software installed.
The complaint also mentioned that the company has not been truthful regarding the spam bot count it’s currently dealing with. Zatko said that, reportedly, the company strongly focused on detecting and removing as much spam as possible in May, which was a lie. Instead, executives of the company were highly motivated to grow its user numbers.
Twitter denied all these accusations by Zatko and stated that he was terminated from the company for his lack of leadership quality and poor performance.
Twitter said that so far, the company has only been a part of a false storyline which includes that the company’s privacy and data security practices are filled with inaccuracies, inconsistencies, and lack of important context. It further said, “Mr. Zatko’s allegations and opportunistic timing appeared to be designed to capture attention and inflict harm on Twitter, its customers, and its shareholders.”
For the company, its privacy and security have always been a top priority, and will continue to be in the future, said Twitter.
The complaint came when the company was already facing its legal fight with Elon Musk after he canceled his proposal to buy Twitter for US$44 billion because it was underplaying the prevalence of bots on its platform.