The former Twitter security chief central to Elon Musk’s attempt to back out of buying the social media company has accused its leadership of prioritising “profits over security”.
Peiter “Mudge” Zatko said Twitter was “over a decade behind industry security standards” in an appearance before the US Senate judiciary committee. His testimony has opened up the social media company’s cyber security practices to scrutiny and could shape the future of Musk’s high-stakes legal battle.
Zatko, who was fired by Twitter in January and filed a whistleblower complaint to US authorities in early July, accused its executives of “misleading the public, lawmakers, regulators and even its own board of directors” over its security practices.
The security lapses were so severe they threatened national security, he told lawmakers.
The accusations have been seized upon by Tesla co-founder Musk, who is already suing Twitter to get out of his $44bn agreement to buy the company, arguing that it underestimated and misled regulators on the number of bots on the platform.
Twitter shareholders voted on Tuesday to approve Musk’s $44bn takeover bid, according to a preliminary count.
In his opening statement, Senator Charles Grassley said Twitter chief executive Parag Agrawal had refused to attend the hearing, claiming it would “jeopardise the ongoing litigation” with Musk. “If these allegations are true, I don’t see how Mr Agrawal can maintain his position at Twitter,” he added.
Twitter has previously said Zatko was peddling a “false narrative” about the company. It did not immediately respond to a request for comment.
During the wide-ranging hearing, Zatko, who has held senior cyber security positions at Google and the US Department of Defence, described Twitter as failing to address its cyber vulnerabilities as it lurched from crisis to crisis.
Staffers did not “know what data they have, where it lives” and “have too much access to too much data”, he said. He estimated that thousands of employees had access to users’ sensitive information and that of advertising clients.
He said he and others had raised such issues internally, but instead executives misled regulators about their compliance with a 2011 settlement with the Federal Trade Commission that ordered them to bolster their privacy and security practices.
“Key parts of leadership lacked the competency to understand the scope of the problem, but more importantly, their executive incentives led them to prioritise profits over security,” Zatko added.
Lawmakers also homed in on Zatko’s allegations that foreign intelligence agents were able to get inside the company, just weeks after a former Twitter employee was found guilty of passing personal information on Saudi dissidents from the platform to the country’s government.
Zatko said the FBI had told Twitter that at least one Chinese government operative was on its payroll, but that it was struggling to log and track suspicious activity on its platform.
“They simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own,” he said. He added he learned that “thousands of failed attempts to access internal systems that were happening per week, and nobody was noticing”.
He also claimed that Twitter was pressured by the Indian government to place agents from the country inside the company.
Twitter’s lawyers said last week that in early 2022 Zatko had raised concerns with senior executives that it was misleading its risk committee on cyber security matters. The company said that these concerns were investigated internally and “found to be without merit”.
Zatko’s allegations promise to play a significant role in the October trial over Musk’s takeover.
A Delaware judge agreed last week to consider his allegations as part of Musk’s case after his team asserted that, if true, they would constitute fresh grounds to cancel the deal. Zatko has also been subpoenaed by Musk’s team to testify in October.