Twitter can’t protect users’ data, former CISO alleges

Twitter’s former chief information security officer (CISO) leveled a series of serious accusations against his former employer in testimony before U.S. Congress, including allegations that foreign agents from India and China worked for the company, and that Twitter executives mislead the public and regulators on data security.

“First, they don’t know what data they have, where it lives, or where it came from, and so, unsurprisingly, they can’t protect it,” Peiter Zatko told the Senate judiciary committee on Tuesday. “That leads to the second problem: employees need to have too much access to too much data on too many systems.”

He joined the company in November 2020. Twitter says he was fired in January for “ineffective leadership and poor performance.”

Zatko was quoted by SC Media as saying Twitter’s data infrastructure is so decentralized that not even leadership knows all the data the company collects or where it’s stored. When he brought those concerns to Twitter’s leadership, he claimed their incentive structure led them to prioritize “profits over security.”

The news site The Record quoted him saying roughly half of Twitter employees are engineers who have vast practical access to the company’s systems. However, those systems often lack logging capabilities, so it can be hard to track if someone — such as an agent of a foreign government — inappropriately accesses information.

Several news agencies noted that Twitter has been under a consent decree with the U.S. Federal Trade Commission since 2011 because of several data security incidents. As recently as May, Twitter settled a civil complaint from the agency accusing the company of violating that order by collecting phone numbers of users for account security purposes, then using them to target advertising. The company agreed to pay a US$150 million fine.

In response to the allegations, Agence France Press and others noted that in a statement, Twitter said its hiring process is “independent of any foreign influence” and access to data is managed through a host of measures, including background checks, access controls, and monitoring and detection systems and processes.

The Reuters news agency noted many of the allegations are uncorroborated and have little documentary support.

Zatko was emphatic. “It’s not far-fetched to say that an employee at the company could take over the accounts of all of the senators in this room,” he was quoted as saying. “Given the real harm to users and national security, I determined it was necessary to take on the professional and personal risk to myself and my family of becoming a whistleblower.”

The testimony comes as the U.S. House of Representatives is dealing with a bipartisan federal privacy bill.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs