Twitter’s former head of cybersecurity has accused the company of a number of egregious security flaws and oversights, according to a whistleblower complaint filed with the federal government last month.
The complaint, first reported by The Washington Post and CNN, makes a wide variety of damning claims about Twitter, among them that members of the company’s board of directors misled the public and government agencies about its security. The former security chief alleged in the complaint that he was told to withhold a major security report from Twitter’s board and to write misleading security documents.
Peiter “Mudge” Zatko, a veteran cybersecurity expert widely respected in the industry, filed the complaint with the Securities and Exchange Commission, the Federal Trade Commission and the Justice Department in July. Whistleblower Aid, a nonprofit group that provides legal assistance to whistleblowers, confirmed the complaint’s authenticity.
Twitter CEO Parag Agrawal fired Zatko and another top security official in a shakeup of the department in January.
In a statement in response to the complaint, a Twitter spokesperson said that Zatko’s account was “a false narrative” and that Zatko was fired because he displayed “ineffective leadership and poor performance.” It also said his allegations about Twitter’s security were “riddled with inconsistencies and inaccuracies” and that the complaint “lacks important context.”
Among the complaint’s noteworthy allegations:
- Twitter suffered security incidents significant enough to warrant a report to a government agency about once a week, with 20 breaches in 2020 alone.
- Twitter doesn’t prioritize removing spam or bot accounts to the extent that CEO Parag Agrawal has previously described.
- The company has never been in compliance with an agreement it made with the FTC in 2011 to protect users’ personal information.
- Twitter does little to monitor for so-called insider threats, employees or contractors who use their positions in the company to steal information, and instead leaves them “virtually unmonitored.”
The complaint comes at a particularly sensitive time for Twitter, which is fighting in court to ensure that Tesla CEO Elon Musk goes through with a deal to buy it for more than $44 billion. Musk is trying to pull out of the deal. Musk’s legal argument rests on alleging that Twitter misled investors about its product, including how well it fights fake accounts.
Zatko’s allegations appear to bolster Musk’s claims about spam on Twitter. The complaint says Agrawal “knows very well that Twitter executives are not incentivized to accurately ‘detect’ or report total spam bots on the platform.”
Alex Spiro, an attorney at Quinn Emanuel, the firm representing Musk in that case, said his team has already subpoenaed Zatko seeking information about how Twitter handles spam.
Musk appeared to acknowledge the whistleblower's emergence on Twitter.
Insider threats are a concern for every major company, and Twitter was recently the victim of one of the highest-profile incidents in years. A federal jury this month convicted its former head of Middle Eastern media partnerships, Ahmad Abouammo, of illegally acting as a foreign agent for Saudi Arabia. The jury found him guilty of accessing select users’ private information and passing it to Saudi officials and the Saudi royal family.
Twitter co-founder and former CEO Jack Dorsey hired Zatko in November 2020 in the wake of the company’s suffering the most visibly embarrassing hack of a social media company in recent history. The hackers took control of a host of high-profile accounts, including those of presidential candidate Joe Biden, Bill Gates and Musk, and posted tweets asking followers to send them bitcoin. Dorsey said at the time that he felt “terrible” about the hack, and Twitter said at the time that a social engineering attack most likely targeted employees with access to its internal system.
The Justice Department later charged a 22-year-old person in Florida, a 19-year-old British man and a person who was then a juvenile in the incident.
Zatko has had a long and distinguished career in cybersecurity, with a specialization in identifying potential flaws that malicious hackers might try to exploit. He previously led security research teams at the Defense Department and Google.
Twitter’s statement about Zatko prompted outcries from the cybersecurity industry, which has long regarded him as an industry icon.
Veteran cybersecurity researcher Tarah Wheeler, the CEO of Red Queen Dynamics, a cybersecurity and compliance company, said in a text message that Zatko is “beloved in the information security community for his technical chops.”
“I trust him and the roars of ‘I stand with Mudge’ from the internet today are unlike anything I’ve seen before for a whistleblower — and totally deserved,” Wheeler said.
Rob Lee, a co-founder and the CEO of Dragos, a leading cybersecurity company for industrial systems, said in an email that Zatko is a singular figure in the industry.
“I can think of no one else that has risen to the level of respect and significance in the information security community, hacker community and government security communities,” Lee said.
Sen. Marco Rubio, R-Fla., the ranking member of the Intelligence Committee, told NBC News that the committee had received a copy of the complaint.
“We’re treating the complaint with the seriousness it deserves and look forward to learning more,” Rubio said.
Sen. Dick Durbin, D-Ill., the chair of the Judiciary Committee, said in a statement that the claims, if accurate, “may show dangerous data privacy and security risks for Twitter users around the world.”
“As Chair of the Senate Judiciary Committee, I will continue investigating this issue and take further steps as needed to get to the bottom of these alarming allegations,” he said.
NBC News asked Zatko for comment, while CNBC contacted the Justice Department and the FTC, but they didn’t immediately receive any responses. The SEC declined to comment.