Twitter Whistleblower Warns of User and National Security Breaches

(by Wendi Strauch Mahoney | UncoverDC) – Testimony from Twitter whistleblower Peiter “Mudge” Zatco on Tuesday before the Senate Judiciary Committee “paints a very disturbing picture” of a company that sacrificed the safety of its users in favor of the almighty dollar. Ranking Member Senator Chuck Grassley expressed his dismay over allegations of the employment of “at least one Chinese agent” and other foreign assets in the company. He and Senator Dick Durbin wrote a letter to Twitter CEO, Parag Argawal on Sept. 12, questioning the company about its alleged “inadequate” protection of user data and national security.

Zatco saying Twitter employees could go into the accounts of high profile politicians – and that there would be little trace of them doing so. Serious allegations here. #twitterwhistleblower

— James Clayton (@JamesClayton5) September 13, 2022

On Tuesday, Grassley bolstered his case, citing DOJ indictments in 2019 of two Twitter employeeswho “used their positions to access private user data and then gave it to Saudi Arabia.” They accessed private data on “more than 6,000 users” who were of interest to Saudi Arabia, violating a 2011 consent decree with the FTC to protect private user information. Twitter outsources “a great deal of information” to foreign sources. Grassley warned the FTC lacks the resources to properly oversee Twitter’s compliance with the consent decree, and Zatco agreed.

Pieter “Mudge” Zatco’s Testimony

Zatco was on Twitter’s executive team from November 2020 to January 2022. He filed a complaint on Jul. 6, as evidenced by a cover letter from his attorneys requesting legal protections from retaliation. Zatco’s 84-page redacted disclosure was obtained by the Washinton Post in July. He was responsible for information security, privacy, engineering, physical security, information technology, and Twitter global support. He came forward because of grave concerns over its antiquated security standards. He repeatedly tried to warn its management and board and believes the company continues to mislead users, shareholders, and lawmakers. He said the company is at least “10 years behind its peers” in the realm of cyber security.

“Two basic issues” are at the core of Zatco’s worries. One, Twitter does not have a handle on “where data lives or where it comes from.” The company has no way to track who is looking at or using the data on its system. As a result, user data is insecure. Secondly, as a result of the lack of security, “about 4000 Twitter engineers” have “too much access to too much data into too many systems. You can think of it this way,” he added, “It doesn’t matter who has the keys if you don’t have any locks on the doors. It is not far-fetched to say that an employee inside the company could take over all the accounts of all of the senators in this room.”

The lack of security controls at the company can cause real-world problems for users and our national security. Once Twitter has access to key data points like phone numbers, addresses, emails, types of devices used, and geolocation data, there’s no limit to what they can potentially do with the information. It can cause “real harm to users and to national security,” said Zatco. The exchange with Senator Durbin of Illinois is illustrative of his unease with Twitter’s refusal to prioritize the security of its platform.

When Zatco first joined the company, he “discovered that thousands of users had access to the advertisers’ information including their bank accounts & routing numbers, and when I first joined, people could change that information.” He also gave current examples of how easy it is to identify users, their social and business networks, all of the Twitter accounts “they have tried to hide,” their other social media accounts, and their exact location at any given point in time. Read Full Article >