Twitter’s former cybersecurity chief accused the company of a number of security breaches and egregious oversights, according to a whistleblower complaint filed with the US government this year.
The complaint, first published by The Washington Post and CNN, makes a wide range of damning claims on Twitter, including that members of the company’s board of directors have misled the public and government agencies about the security of the ‘company. The former security chief alleged in the complaint that he was told to withhold a major security report from Twitter’s board and write misleading security documents.
Peiter “Mudge” Zatko, a seasoned cybersecurity expert widely respected in the industry, filed the complaint with the Securities and Exchange Commission, Federal Trade Commission and Department of Justice in July. Whistleblower Aid, a non-profit organization that provides legal assistance to whistleblowers, confirmed the authenticity of the complaint.
Parag Agrawal, CEO of Twitter fired Zatko and another senior security official during a January reshuffle of that department.
In a statement responding to the whistleblower’s complaint, a Twitter spokesperson called Zatko’s account a “false narrative” and said Zatko was fired for displaying a ” ineffective leadership and poor performance”. He also said his claims about Twitter’s security were “riddled with inconsistencies and inaccuracies and lacked significant context.”
The lawsuit comes at a particularly sensitive time for Twitter, which is battling in court to ensure Tesla CEO Elon Musk reaches a deal to buy Twitter. for more than 44 billion dollars. Musk tries to withdraw from the case. Musk’s legal argument hinges on the allegation that Twitter misled investors about its product, including its ability to fight fake accounts.
Zatko’s allegations appear to bolster Musk’s claims about spam on Twitter, with the complaint stating that Agrrawal “knows full well that Twitter executives have no incentive to ‘accurately detect’ or report the total number of spambots on the platform”.
NBC News reached out to Zatko for comment while CNBC reached out to the SEC, DOJ and FTC but received no immediate response.
Some of the notable allegations in the complaint include:
- Twitter has suffered security incidents large enough to warrant reporting to a government agency about once a week, with 20 breaches in 2020 alone.
- Twitter does not prioritize deleting spam or bot accounts that CEO Parag Agrawal has previously described.
- The company has never been in compliance with an agreement reached with the FTC in 2011 to protect users’ personal information.
- Twitter does little to monitor so-called insider threats, employees or contractors who use their position in the company to steal information, and instead leaves them “virtually unsupervised”.
Twitter founder and former CEO Jack Dorsey hired Zatko in November 2020 following the most visibly embarrassing hack of a social media company in recent history. The hackers behind this incident took control of a large account host, including those of then-presidential candidate Joe Biden, Bill Gates and Elon Musk, and posted tweets asking their followers to send them bitcoins. Dorsey said at the time that he felt “awful” about the hack, and Twitter said at the time that it was likely a social engineering attack targeting employees with access to his internal system.
The Justice Department later charged a 22-year-old Florida man, a 19-year-old Briton and a then-minor over the incident.
Zatko has a long and distinguished career in cybersecurity, with a specialization in identifying potential vulnerabilities that malicious hackers might attempt to exploit. He previously led security research teams at the Department of Defense and Google.
Sen. Marco Rubio, R-Fla., a senior member of the Senate Intelligence Committee, told NBC News that the committee received a copy of the complaint.
“We are treating the complaint with the seriousness it deserves and we look forward to hearing more,” Rubio said.
Sen. Dick Durbin, D-Ill., chairman of the Senate Judiciary Committee, said in a statement that the claims, if accurate, “may show dangerous privacy and data security risks for users of Twitter from around the world.
“As chairman of the Senate Judiciary Committee, I will continue to investigate this matter and take the necessary steps to get to the bottom of these alarming allegations,” Durbin said in the statement.
NBC News reached out to Zatko for comment while CNBC reached out to the DOJ and FTC but received no immediate response. The SEC declined to comment.
This is a developing story. Please check for updates.