Twitter Whistleblower Describes Widespread Data Security Lapses

WASHINGTON — A former Twitter computer security manager revealed broad mishandling of private data at the social media platform during a Senate hearing Tuesday.

He said the lax security endangered the private information of users and potentially of national security.

Whistleblower Peiter “Mudge” Zatko filed a complaint with the Securities and Exchange Commission that says Twitter deceived federal regulators about the company’s vulnerability to hackers and foreign infiltrators.

Instead of focusing on security, the company’s leadership put its efforts into increasing profits and their own salaries, he told the Senate Judiciary Committee.

Twitter reported revenue of $1.18 billion in the second quarter of this year. Last year, it earned $5.077 billion.

“Given the potential harm to the public of Twitter’s unwillingness to address problems I reported and Twitter’s continued efforts to cover up those problems, I determined lawful disclosure was necessary despite the personal and professional risk to me and my family of becoming a whistleblower,” Zatko said.

By the end of the hearing, several senators were pledging a regulatory crackdown on Twitter.

In May, Twitter agreed to pay a $150 million fine after the Federal Trade Commission accused the company of misusing users’ phone numbers to help in advertising campaigns. Use of the phone numbers breached a 2011 consent decree to improve security for users, the FTC said.

Zatko said that even a $150 million fine probably was inadequate to spur Twitter’s top executives into better data security.

They typically move from one crisis to another instead of instituting a comprehensive security program, he said.

“The company needs a crisis to operate,” Zatko said.

The leadership also is intolerant of bad news that could include data breaches, he said.

“This has been a culture of only present good and positive reports,” Zatko said. “That is how you move up in the company.”

The security breaches have included clandestine agents of China and India joining the San Francisco, California-based company’s roughly 7,500 employees. About 4,000 of the employees are engineers who have access to private data.

Sometimes Twitter has allowed Chinese companies to publish click-through ads on Twitter that then could give the Chinese government access to the customers’ personal computers, Zatko said.

Another time, two Twitter employees sold private information of about 6,000 users to the Saudi government.

Zatko said Twitter might be better able to control security of its international operations if it was willing to hire more foreign language translators to monitor international traffic.

“Eighty percent of their users are outside of the United States,” he said.

Sen. Lindsey Graham, R-S.C., told Zatko, “What you did today will not be in vain.”

He said he would craft legislation with other senators to rein in what he described as “the dark side” of Twitter’s data security.

“The regulatory environment is insufficient to the task,” he said.

Sen. Dick Durbin, D-Ill., chairman of the Senate Judiciary Committee, said consumers are unaware of how their Twitter posts compromise their personal security.

“Unbeknownst to you, someone else might be right there in your pocket or purse,” Durbin said.

Sen. Charles Grassley, R-Iowa, hinted a management shake-up might be coming soon for Twitter, potentially touching Chief Executive Officer Parag Agrawal.

“If these allegations are true, I can’t see how Mr. Agrawal can maintain his position at Twitter,” Grassley said.

Tom can be reached at [email protected] and @TomRamstack