Twitter can’t protect users’ data, former CISO alleges

9
Twitter can’t protect users’ data, former CISO alleges

Twitter’s former chief information security officer (CISO) leveled a series of serious accusations against his former employer in testimony before U.S. Congress, including allegations that foreign agents from India and China worked for the company, and that Twitter executives mislead the public and regulators on data security.

“First, they don’t know what data they have, where it lives, or where it came from, and so, unsurprisingly, they can’t protect it,” Peiter Zatko told the Senate judiciary committee on Tuesday. “That leads to the second problem: employees need to have too much access to too much data on too many systems.”

He joined the company in November 2020. Twitter says he was fired in January for “ineffective leadership and poor performance.”

Zatko was quoted by SC Media as saying Twitter’s data infrastructure is so decentralized that not even leadership knows all the data the company collects or where it’s stored. When he brought those concerns to Twitter’s leadership, he claimed their incentive structure led them to prioritize “profits over security.”

The news site The Record quoted him saying roughly half of Twitter employees are engineers who have vast practical access to the company’s systems. However, those systems often lack logging capabilities, so it can be hard to track if someone — such as an agent of a foreign government — inappropriately accesses information.

Several news agencies noted that Twitter has been under a consent decree with the U.S. Federal Trade Commission since 2011 because of several data security incidents. As recently as May, Twitter settled a civil complaint from the agency accusing the company of violating that order by collecting phone numbers of users for account security purposes, then using them to target advertising. The company agreed to pay a US$150 million fine.

In response to the allegations, Agence France Press and others noted that in a statement, Twitter said its hiring process is “independent of any foreign influence” and access to data is managed through a host of measures, including background checks, access controls, and monitoring and detection systems and processes.

The Reuters news agency noted many of the allegations are uncorroborated and have little documentary support.

Zatko was emphatic. “It’s not far-fetched to say that an employee at the company could take over the accounts of all of the senators in this room,” he was quoted as saying. “Given the real harm to users and national security, I determined it was necessary to take on the professional and personal risk to myself and my family of becoming a whistleblower.”

The testimony comes as the U.S. House of Representatives is dealing with a bipartisan federal privacy bill.