Twitter’s former head of cybersecurity has accused the company of some glaring security flaws and oversight, according to a whistleblower complaint filed with the US government this year.
The complaint, first published by The Washington Post and CNN, makes a wide range of damning claims about Twitter, including that members of the company’s board of directors have misled the public and government agencies about the company’s security. The former security chief alleged in the complaint that he was told to withhold an important security report from the Twitter board and to write misleading security documents.
Peiter “Mudge” Zatko, a veteran cybersecurity expert widely respected in the industry, filed the complaint with the Securities and Exchange Commission, Federal Trade Commission and the Department of Justice in July. Whistleblower Aid, a non-profit organization that provides legal aid to whistleblowers, confirmed the complaint’s authenticity.
Twitter CEO Parag Agrawal laid off Zatko and another top security official at a commotion at that department in January.
In a statement in response to the whistleblower complaint, a Twitter spokesperson called Zatko’s account “a false story” and said Zatko was fired for exhibiting “ineffective leadership and poor performance.” It also said its allegations about Twitter’s security were “riddled with inconsistencies and inaccuracies and lacked significant context.”
The complaint comes at a particularly sensitive time for Twitter, which is fighting in court to ensure Tesla CEO Elon Musk pushes through a deal to buy Twitter for more than $44 billion. Musk is trying to pull out of the deal. Musk’s legal argument rests on the claim that Twitter has misled investors about its product, including how well it fights fake accounts.
Zatko’s allegations seem to bolster Musk’s claims about spam on Twitter, with the complaint stating that Agrrawal “knows very well that Twitter executives are not incentivized to accurately ‘detect’ or report the total number of spam bots on the platform.”
NBC News contacted Zatko for comment, while CNBC contacted the SEC, DOJ, and FTC, but did not receive immediate responses.
Some of the notable allegations of the complaint include:
- Twitter faced security incidents significant enough to warrant a report to a government agency about once a week, with 20 breaches in 2020 alone.
- Twitter does not prioritize deleting spam or bot accounts, so CEO Parag Agrawal has previously described.
- The company has never adhered to an agreement it made with the FTC in 2011 to protect users’ personal information.
- Twitter does little to monitor for so-called insider threats, employees or contractors using their positions in the company to steal information, instead leaving them “virtually unchecked.”
Twitter founder and former CEO Jack Dorsey hired Zatko in November 2020 after the company suffered the most visibly embarrassing social media company hack in recent memory. The hackers behind that incident took control of a host of high-profile accounts, including those of then-presidential candidate Joe Biden, Bill Gates and Elon Musk, and posted tweets asking followers to send them bitcoin. Dorsey said at the time he felt “terrible” about the hack, and Twitter said it was likely a social engineering attack targeting employees with access to its internal system.
The Justice Department later charged a 22-year-old in Florida, a 19-year-old British man and a minor at the time for the incident.
Zatko has a long and distinguished career in cybersecurity, specializing in identifying potential flaws that malicious hackers could attempt to exploit. Previously, he led security research teams at the Department of Defense and Google.
Sen. Marco Rubio, R-Fla., the most senior member of the Senate Intelligence Committee, told NBC News the committee had received a copy of the complaint.
“We are treating the complaint with the seriousness it deserves and look forward to learning more,” Rubio said.
sen. Dick Durbin, D-Ill., chairman of the Senate Judiciary Committee, said in a statement that the claims, if correct, “could demonstrate dangerous data privacy and security risks to Twitter users around the world.”
“As chairman of the Senate Judiciary Committee, I will continue to investigate this matter and take further steps if necessary to get to the bottom of these alarming allegations,” Durbin said in the statement.
NBC News reached out to Zatko for comment, while CNBC contacted the DOJ and FTC, but received no immediate response. The SEC declined to comment.
This is a story in development. Come back for updates.