Twitter whistleblower Peiter Zatko testified before Congress about systemic and pervasive security vulnerabilities at the company.
“What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards. The company’s cyber security failures make it vulnerable to exploitation causing real harm to real people,” Zatko, former head of security at Twitter, said in his opening remarks to the Senate Judiciary Committee. “And when an influential media platform can be compromised by teenagers, thieves, and spies … the company repeatedly creates security problems on their own.”
Lawmakers subpoenaed Zatko after receiving copies of a complaint he filed with the U.S. Securities and Exchange Commission (SEC), which alleged the company had misled federal regulators about its defenses against hackers and foreign influence operations, according to the Washington Post.
He was fired from the company in January 2022 and filed a whistleblower complaint in July. His testimony could affect the purchase agreement between Twitter and billionaire Elon Musk, who has made repeated attempts to break the $44 billion deal amid concerns over the number of fake accounts on the platform.
However, Twitter shareholders are expected to hold a vote to approve or reject Musk’s takeover offer on the day of the Senate testimony.
Zatko testified that security problems were brought to him by engineers and employees of Twitter, but when he presented evidence of the issues to the executive team, they misled shareholders, lawmakers, and the public, refusing to address them.
He stated the inaction was twofold: company leadership “lacked the competency to understand the scope of the problem” and “executive incentives led them to prioritize profits over security.”
Zatko also told the Senate panel that half of the company’s employees have full access to “petabytes” of sensitive user data, including phone numbers, addresses, real-time location data, and what accounts users are registered to on other social media platforms.
“So for me, the concern there is anybody with access inside Twitter — and half the company has access to the production environment that has this — could go rooting through and find this information and use it for their own purposes,” he said.
He noted that part of the reason so many people have access to so much data is because the company does not have a software testing or staging environment. So, all of Twitter’s engineers operate in the live environment, which he described as an “oddity” compared to how other companies handle software development.
Zatko cautioned that this can be an issue “if you are a foreign agent and you are hired and you are an engineer, you’ve got access to all of that data we talked about.”
He told the Senate panel he knows “with high confidence” of a foreign agent from India placed within the company, as well as at least one agent from the Ministry of State Security (MSS), China’s intelligence agency, which handles counterintelligence, foreign intelligence, and political security.
Under questioning from Sen. Dianne Feinstein, Zatko said it was “disturbing” that the company does not have capability to internally look for and identify inappropriate access within their own systems.
“Other than the person who I believed with high confidence to be a foreign agent placed in a position from India, it was only going to be from an outside agency or somebody alerting Twitter that somebody already existed, that they would find the person,” he said.
“What I did notice when we did know of a person inside acting on behalf of a foreign interest as an unregistered agent, it was extremely difficult to track the people,” Zatko added.
“There was a lack of logging and an ability to see what they were doing, what information was being accessed, or to contain their activities, let alone, set steps for remediation and possible reconstitution of any damage,” he told congressional officials. “They simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own.”