For Twitter it is going from bad to worse. While the social media behemoth is busy fighting a legal battle against Elon Musk, Peiter Zatko, the firm’s security chief until January 2022, has blown the whistle on the company’s cybersecurity posture, only five months after being sacked.
In a complaint filed to the U.S. Securities and Exchange Commission (SEC) on July 6 and obtained by CNN and The Washington Post, Zatko accuses Twitter of severe cybersecurity mismanagement.
In the complaint, he alleges that thousands of employee laptops contained complete copies of Twitter’s source code. He claims that about one-third of those devices blocked automatic security fixes, had system firewalls turned off and had remote desktop access enabled for non-approved purposes. He then accuses Twitter of failing to actively monitor what was downloaded on its employee’s devices, and that “employees were repeatedly found to be intentionally installing spyware on their work computers at the request of external organizations,” the complaint said.
The whistleblower also alleges Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do.
During his two years as Twitter’s head of security, Zatko said that “the company had approximately one security incident each week serious enough that [it] was required to report it to government agencies.”
“In 2020 alone, Twitter had more than 40 security incidents, 70% of which were access control-related,” the complaint reads. “These included 20 incidents defined as breaches; all but two of which were access control related.”
Zatko went on and admitted he “reasonably feared Twitter could suffer an Equifax-level hack.”
As for the reason behind the explosive issue of fake accounts on Twitter – a subject at the heart of Elon Musk’s U-turn in acquiring the social media giant –, Zatko said that Twitter executives do not have the resources to fully understand the true number of bots on the platform, and weren’t motivated to do so.
Peiter Zatko, also know as his hacker moniker ‘Mudge’, was appointed as Twitter’s head of security in late-2020, a few months after that the Twitter accounts of some of the world’s most famous people, including Joe Biden and Elon Musk, were hacked.
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” Twitter spokesperson Madeline Broas told TechCrunch, after insisting that “Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance.”