A former security chief at Twitter has filed a whistleblower disclosure accusing the microblogging platform of deceiving the public, misleading federal regulators, and the company’s board of directors about its security lapses and problems with fake accounts.
The whistleblower, Peiter Zatko, also known as “Mudge,” filed complaints, totaling more than 200 pages, last month with the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), and the Justice Department, which was obtained by CNN and the Washington Post.
In its disclosure, Zatko said the security vulnerabilities pose a major threat to Twitter’s users’ personal data, national security, and democracy. He also accused Twitter of deceiving the company’s shareholders and violating an agreement it made with the FTC regarding upholding certain security standards.
For the unversed, Peiter Zatko is a veteran hacker and security expert, also known as “Mudge”, who was hired as Head of Security by former Twitter head Jack Dorsey in November 2020 after a major hack of the company’s systems. However, he was fired by the social media platform in January 2022 over “ineffective leadership and poor performance”.
In its disclosure as a whistleblower, Zatko also states that Twitter’s leadership “misled its own board and government regulators about its security vulnerabilities”. He added that some of these susceptibilities could “allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns”.
Another one of his allegations was that the company does not reliably delete users’ data after they have canceled their accounts. This happened in some cases, as the company had lost track of the information.
The whistleblower also states that Twitter executives lack the resources to completely understand the true number of bots on the platform – an important element in Musk’s argument for withdrawing his $44 billion buyout deal. He also accuses them of lying about the actual number of bots and spam accounts to Elon Musk and shareholders.
“This would never be my first step, but I believe I am still fulfilling my obligation to Jack and to users of the platform,” Zatko told The Washington Post regarding his decision to become a whistleblower. “I want to finish the job Jack brought me in for, which is to improve the place.”
Zatko, under the SEC whistleblower rules, is entitled to legal protection against retaliation, as well as potential monetary rewards.
Rachel Cohen, a spokesperson for the U.S. Senate’s intelligence committee, said the committee has received Zatko’s complaint and “is in the process of setting up a meeting to discuss the allegations in further detail. We take this matter seriously.”
A person familiar with Zatko’s tenure at Twitter said that the company examined several claims during his tenure there and determined that they were sensationalistic and without merit, and at times, lacked understanding of Twitter’s FTC obligations.
“Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago. While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context,” a Twitter spokesperson said in a statement
“Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.”
The spokesperson said that Twitter “fully stands by” its SEC filings and approach to fighting spam.
Twitter CEO Parag Agrawal reportedly sent an email to employees on Tuesday morning addressing the complaint. “Given the spotlight on Twitter at the moment, we can assume that we will continue to see more headlines in the coming days — this will only make our work harder,” he told staff.