Twitter’s former head of cybersecurity has accused the company of a number of egregious security flaws and oversights, according to a whistleblower complaint filed with the U.S. government this year.

The complaint, first reported on by The Washington Post and CNN, makes a wide range of damning claims about Twitter, including that members of the company’s board of directors misled the public and government agencies about the company’s security. The former security chief alleged in the complaint that he was told to withhold a major security report from Twitter’s board and to write misleading security documents.

Peiter “Mudge” Zatko, a veteran cybersecurity expert widely respected in the industry, filed the complaint with the Securities and Exchange Commission, Federal Trade Commission and the Department of Justice in July. Whistleblower Aid, a nonprofit that provides legal assistance to whistleblowers, confirmed the complaint’s authenticity.

Twitter CEO Parag Agrawal fired Zatko and another top security official in a shakeup of that department in January.

In a statement in response to the whistleblower complaint, a Twitter spokesperson called Zatko’s account “a false narrative” and said Zatko was fired because he displayed “ineffective leadership and poor performance.” It also said his allegations about Twitter’s security was “riddled with inconsistencies and inaccuracies and lacks important context.”

Some of the complaint’s noteworthy allegations include:

  • Twitter suffered security incidents significant enough to warrant a report to a government agency about once a week, with 20 breaches in 2020 alone.

  • Twitter doesn’t prioritize the removal of spam or bot accounts to the effect that CEO Parag Agrawal has previously described.

  • The company has never been in compliance with an agreement it made with the FTC in 2011 to protect users’ personal information.

  • Twitter does little to monitor for so-called insider threats, employees or contractors who use their positions in the company to steal information, and instead leaves them “virtually unmonitored.”

The complaint comes at a particularly sensitive time for Twitter, which is fighting in court to ensure that Tesla CEO Elon Musk goes through with a deal to purchase Twitter for more than $44 billion. Musk is trying to pull out of the deal. Musk’s legal argument rests on alleging Twitter misled investors about its product, including how well it fights fake accounts.

Zatko’s allegations appear to bolster Musk’s claims about spam on Twitter, with the complaint stating that Agrrawal “knows very well that Twitter executives are not incentivized to accurately ‘detect’ or report total spam bots on the platform.”

Alex Spiro, an attorney at Quinn Emanuel, the firm representing Musk in that case, told NBC News that his team has already subpoenaed Zatko seeking information on how Twitter handles spam.

On Twitter, Musk appeared to acknolwedged the whisteblower's emergence.

While insider threats are a concern for every major company, Twitter was recently the victim of one of the highest profile incidents in years. Earlier this month, a jury convicted the company’s former head of Middle Eastern media partnerships, Ahmad Abouammo, of illegally acting as a foreign agent for Saudi Arabia. An American jury found him guilty of accessing select users’ private information and passing it to Saudi officials and the Saudi royal family.

Twitter founder and former CEO Jack Dorsey hired Zatko in November 2020 in the wake of the company suffering the most visibly embarrassing hack of a social media company in recent history. The hackers behind that incident took control of a host of high-profile accounts, including those of then-presidential candidate Joe Biden, Bill Gates and Elon Musk, and posted tweets asking followers to send them bitcoin. Dorsey at the time said he felt “terrible” about the hack, and Twitter said at the time it was likely a social engineering attack that targeted employees with access to its internal system.

The Department of Justice later charged a 22-year-old in Florida, a 19-year-old British man and one then-juvenile for the incident.

Zatko has a long and distinguished career in cybersecurity, with a specialization in identifying potential flaws that malicious hackers might try to exploit. He previously led security research teams at the Department of Defense and Google.

Twitter’s statement about Zatko prompted outcries from the cybersecurity industry, which has long regarded him as an industry icon.

Tarah Wheeler, a veteran cybersecurity researcher and the CEO of Red Queen Dynamics, a cybersecurity and compliance company, said in a text message that Zatko is “beloved in the information security community for his technical chops.”

“I trust him and the roars of ‘I stand with Mudge’ from the internet today are unlike anything I’ve seen before for a whistleblower — and totally deserved,” Wheeler said.

Rob Lee, the CEO and co-founder of Dragos, a leading cybersecurity company for industrial systems, said in an email that Zatko is a singular figure in the industry.

“I can think of no one else that has risen to the level of respect and significance in the information security community, hacker community and government security communities,” Lee said of Zatko.

Sen Marco Rubio, R-Fla., the ranking member of the Senate Intelligence Committee, told NBC News that the committee had received a copy of the complaint.

“We’re treating the complaint with the seriousness it deserves and look forward to learning more,” Rubio said.

Sen. Dick Durbin, D-Ill., chair of the Senate Judiciary Committee, said in a statement that the claims, if accurate, “may show dangerous data privacy and security risks for Twitter users around the world

“As Chair of the Senate Judiciary Committee, I will continue investigating this issue and take further steps as needed to get to the bottom of these alarming allegations,” Durbin said in the statement.

NBC News reached out to Zatko for comment while CNBC contacted the DOJ and FTC, but didn’t immediately receive any responses. The SEC declined to comment.

Source: Read Full Article