iBig Tech is having another day of reckoning. Peiter “Mudge” Zatko, Twitter’s former head of cybersecurity, filed a complaint with the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), and the Department of Justice (DOJ), alleging the company’s poor internal security controls leave users’ data potentially unprotected and available to malicious actors. Zatko also alleged that Twitter deceived regulators by the company claiming to protect users’ data and secure their platform, when instead too many people had access to the platform’s core software.
As part of a settlement with the FTC over decade ago, regarding cybersecurity lapses which allowed hackers to gain unauthorized access to the platform, Twitter was “barred for 20 years from misleading consumers” about its cybersecurity practices and it was supposed to “establish and maintain a comprehensive information security program” with assessment by an independent auditor. The whistleblower alleged Twitter failed to comply with this settlement as well. Of interest to Twitter users, Zatko alleged that Twitter “does not reliably delete users’ data after they cancel their accounts” and does not have good systems for tracking what happens to users’ deleted data.
Then-CEO Jack Dorsey hired Zatko in 2020 following some high-profile Twitter account hacks. Zatko uncovered a variety of cybersecurity concerns regarding access to the production environment, server stability, software updates, and more. The Washington Post and CNN’s exclusive stories tell a tale of an “ethical hacker” trying to use internal systems to bring to light a variety of issues and being shouted down before being ultimately dismissed from the company.
Zatko is slated to testify to the Senate Judiciary Committee on September 13, 2022.
The DOJ’s Civil Cyber-Fraud Initiative encompasses the type of fraud Zatko is alleging, that of a company claiming to have adequate cybersecurity controls and procedures in place when it actually does not. The initiative calls on knowledgeable insiders, much like Zatko and Facebook whistleblower Frances Haugen, to report data breaches and companies who falsely certify that they have or are capable of instituting good cybersecurity controls and policies, in order to protect taxpayers and national security.
