Former Twitter security chief accuses company of cybersecurity negligence

Whistleblower complaint alleges 5,000 employees had unfettered access to internal software

Former Twitter security chief accuses company of cybersecurity negligence

Twitter has come under scrutiny yet again this year, as a new whistleblower complaint alleges the social media giant of cybersecurity negligence.

Twitter’s former head of security Peiter Zatko has accused the San Francisco-based company of “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy,” according to his complaint filed with the U.S. Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC) and the Justice Department.

Read more: Twitter execs depart, hiring freeze begins

According to the complaint, first obtained by CNN and The Washington Post, Zatko said thousands of employee laptops contained complete copies of Twitter’s source code and that roughly one-third of those devices had system firewalls turned off and remote desktop access enabled for non-approved purposes. Plus, Zatko said the company blocked automatic security fixes.

Zatko alleges that about 5,000 full-time employees had access to the company’s internal software and that access wasn’t closely monitored. “Employees were repeatedly found to be intentionally installing spyware on their work computers at the request of external organizations,” according to the complaint.

Zatko said he discovered that half of the company’s 500,000 datacenter servers run on outdated software that don’t support basic security features or no longer received regular security updates from their vendors. The complaint alleges that the company had approximately one security incident each week serious enough that Twitter was required to report it to government agencies. “In 2020 alone, Twitter had more than 40 security incidents, 70% of which were access control-related,” the complaint reads. “These included 20 incidents defined as breaches; all but two of which were access control related.”

Twitter spokesperson Madeline Broas told TechCrunch: “Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance. What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”

In 2020, Zatko was recruited by Twitter to lead the company’s security division following a breach that saw Twitter accounts of Joe Biden, Bill Gates and Elon Musk, among other famous names, hacked, The New York Times reported. Zatko was let go from the company less than two years later, TechCrunch reported.

Nearly one in three (30%) employees don’t think they personally play a role in maintaining their company’s cybersecurity posture, according to research from San Francisco-based email security company Tessian.

Furthermore, only 39% of employees say they’re “very likely” to report a security incident. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% said they just don’t care enough about cybersecurity to mention it. Obviously, that makes investigation and remediation even more challenging and time-consuming for security teams.

Virtually all IT and security leaders (99%) agreed that a strong security culture is important in maintaining a company’s cybersecurity posture. Yet, despite rating their organization’s security 8 out 10, on average, 75% of organizations experienced a security incident in the last 12 months.