Twitter’s former security chief Peiter “Mudge” Zatko testified to a Senate panel on Tuesday that his former employer prioritized profits over addressing security concerns that he said put user information at risk of falling into the wrong hands.
“It’s not far-fetched to say that an employee inside the company could take over the accounts of all of the senators in this room,” Zatko told members of the Senate Judiciary Committee, less than a month after his whistleblower complaint was publicly reported.
Zatko testified that Twitter lacked basic security measures and had a freewheeling approach to data access among employees, opening the platform to major risks. As he wrote in his complaint, Zatko said he believed an agent of the Indian government managed to become an employee at the company, an example of the consequences of lax security practices.
The testimony adds fuel to the criticism by legislators that major tech platforms put revenue and growth goals over user protection. While many companies have flaws in their security systems, Twitter’s unique position as a de facto public square has amplified Zatko’s revelations, which took on extra significance given Twitter’s legal spat with Elon Musk.
Musk sought to buy the company for $44 billion but then tried to back out of the deal, claiming Twitter should have been more forthcoming with information about how it calculates its percentage of spam accounts. A judge in the case recently said Musk could revise his counterclaims to reference issues Zatko raised.
A Twitter spokesperson disputed Zatko’s testimony and said the company uses access controls, background checks and monitoring and detection systems to control access to data.
“Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” the spokesperson said in a statement, adding that the company’s hiring is independent from foreign influence.
Here are the key takeaways from Zatko’s testimony
Lack of control over data
According to Zatko, Twitter’s systems are so disorganized that the platform can’t say for sure if it’s deleted a users’ data entirely. That’s because Twitter hasn’t tracked where all that data is stored.
“They don’t know what data they have, where it lives or where it came from, and so, unsurprisingly, they can’t protect it,” Zatko said.
Karim Hijazi, CEO of cyber intelligence firm Prevailion, said large organizations like Twitter often experience “infrastructure drift,” when people come and go, and different systems are sometimes neglected.
“It tends to be a little bit like someone’s garage over time,” said Hijazi, who previously served as director of intelligence at Mandiant, now owned by Google. “Now the problem is, unlike a garage where you can go in and you can start pulling it all apart sort of methodically … you can’t simply wipe away the database because it’s a patchwork quilt of new information and old information.”
Taking down some parts without knowing for sure whether they’re critical pieces could risk bringing down the broader system, Hijazi said.
But security experts expressed surprise by Zatko’s testimony that Twitter didn’t even have a staging environment to test updates, an intermediate step engineers can take between the development and production environments to work out issues with their code before setting it live.
“That was quite surprising for a big tech firm like Twitter to not have the basics,” Hijazi said. Even the smallest little startups in the world that have started seven and a half weeks ago have a dev, staging and production environments.”
Chris Lehman, CEO of SafeGuard Cyber and a former FireEye vice president, said “that would be shocking to me” if it’s true Twitter doesn’t have a staging environment.
He said “most mature organizations” would have this step to prevent systems from breaking on the live website.
“Without a staging environment, you create more opportunities for bugs and for problems,” Lehman said.
Broad employee access to user information
Zatko said the lack of understanding of where data lives means employees also have far more access than they should to Twitter’s systems.
“It doesn’t matter who has keys if you don’t have any locks on the doors,” Zatko said.
Engineers, who make up a large portion of the company, are given access to Twitter’s live testing environment by default, Zatko claimed. He said that type of access should be restricted to a smaller group.
With so many employees having access to important information, the company is vulnerable to problematic activities like bribes and hacks, Hijazi and Lehman said.
U.S. regulators don’t scare companies into compliance
One-time fines that often result from settlements with U.S. regulators like the Federal Trade Commission are not enough to incentivize stronger security practices, Zatko testified.
Zatko told Sen. Richard Blumenthal, D-Conn., that a $150 million settlement like the one Twitter reached with the FTC in May over allegations it misrepresented how it used contact information to target ads, would be insufficient to deter the company from bad security practices.
The company, he said, would be far more worried about European regulators that could impose more lasting remedies.
“While I was there, the concern only really was about a significantly higher amount,” Zatko said. “Or if it would have been a more institutional restructuring risk. But that amount would have been of little concern while I was there.”
Despite the flaws, users shouldn’t necessarily feel compelled to delete their accounts, Zatko and other security experts said.
“People can always opt to just disconnect,” Lehman said. “But the reality is, social media platforms are platforms for dialogue. And they are the new town square. That serves a public good. I think it would be bad if people just stopped using it.”
Hijazi said there’s no point in going into hiding.
“That’s impossible in this day and age,” he said. “However, I think that being naive to the belief that these organizations really have this under control and actually have your information secured is faulty.”