Twitter whistleblower Peiter Zatko testified before Congress on Tuesday, revealing details about the social media company’s inability to track foreign agents embedded within the company, along with other security problems.
Testifying before the Senate Judiciary Committee, the former head of security at Twitter discussed systemic and pervasive security vulnerabilities within the social media company.
“What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards,” Zatko, who was fired from Twitter in January 2022, said in his opening remarks. “The company’s cyber security failures make it vulnerable to exploitation causing real harm to real people. And when an influential media platform can be compromised by teenagers, thieves, and spies… the company repeatedly creates security problems on their own.”
Congressional lawmakers subpoenaed the Twitter whistleblower after they received copies of a complaint filed by Zatko with the Securities and Exchange Commission (SEC) accusing Twitter of misleading federal regulators regarding the company’s defenses against hackers and foreign influence operations, the Washington Post reported.
Zatko filed the whistleblower complaint in July of 2022.
The whistleblower’s testimony could have a significant impact on the purchase agreement and subsequent lawsuit between Twitter and Tesla CEO Elon Musk. The tech billionaire initially signed on to an agreement to purchase the social media company for $44 billion before backing out of the deal, citing concerns that Twitter was lying about the true number of fake accounts on their platform. The company is now suing Musk to force him to go through with the purchase, despite the fact that they initially did not want to sell the company to him.
Meanwhile, Twitter shareholders held a vote on Tuesday regarding Musk’s initial offer to buy the company — voting overwhelmingly in favor of selling, with 98.6% approving of the deal.
Zatko also testified that numerous security problems were brought to his attention by engineers and other employees at Twitter, but when he raised those problems to the executive team, along with evidence to back them up, they refused to address them — instead choosing to mislead shareholders, lawmakers and the public.
The whistleblower noted that the inaction at Twitter was twofold: company leadership “lacked the competency to understand the scope of the problem” and “executive incentives led them to prioritize profits over security.”
Zatko went on to reveal that half of Twitter’s employees have full access to “petabytes” of sensitive user data — which includes addresses, what accounts that users are registered with on other social media platforms, phone numbers and even real-time location data.
“So for me, the concern there is anybody with access inside Twitter — and half the company has access to the production environment that has this — could go rooting through and find this information and use it for their own purposes,” he said.
He warned that this would be a major problem “if you are a foreign agent and you are hired and you are an engineer, you’ve got access to all of that data we talked about.”
Zatko informed the committee that he knows “with high confidence” of a foreign agent from India that had been placed within Twitter, along with at least one agent that came from the Ministry of State Security (MSS) — China’s intelligence agency, which handles counterintelligence, foreign intelligence and political security.
When Zatko was being questioned by Sen. Diane Feinstein (D-CA), he noted that it was “disturbing” that Twitter is incapable of internally searching for and identifying inappropriate access within its own systems.
“Other than the person who I believed with high confidence to be a foreign agent placed in a position from India, it was only going to be from an outside agency or somebody alerting Twitter that somebody already existed, that they would find the person,” he said.
“What I did notice when we did know of a person inside acting on behalf of a foreign interest as an unregistered agent, it was extremely difficult to track the people,” Zatko added.
“There was a lack of logging and an ability to see what they were doing, what information was being accessed, or to contain their activities, let alone, set steps for remediation and possible reconstitution of any damage,” he told congressional officials. “They simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own.”