Twitter whistleblower set to testify about 'widespread security failures'

Daniel Howley

Former Twitter (TWTR) security chief Peiter “Mudge” Zatko will appear before the Senate Judiciary Committee on Tuesday to testify about what he says are widespread security failures at the social media company.

The hearing, scheduled to begin at 10 a.m. E.T., will focus on the allegations Zatko made in a whistleblower complaint filed in July with the Securities and Exchange Commission, Department of Justice, and Federal Trade Commission, which alleges that Twitter’s overall cybersecurity posture is woefully lacking.

Zatko, a widely respected “white-hat” hacker, says Twitter never complied with a 2011 FTC settlement requiring the company to implement a comprehensive security program that protects user data and prevents the platform from being exploited. Twitter fired Zatko in January for what it says was poor leadership.

The FTC and Twitter entered into the agreement after hackers broke into the social media site’s internal systems during two attacks in 2009 — and then posted tweets via user accounts, including one used by then-President Barack Obama.

WASHINGTON, DC - AUGUST 22: Peiter Zatko, who is also known as Mudge poses for a portrait on Monday August 22, 2022 in Washington, DC. He has worked for Google and Twitter. (Photo by Matt McClain/The Washington Post via Getty Images)
Peiter 'Mudge' Zatkow will testify before the Senate Judiciary Committee on Tuesday. (Photo by Matt McClain/The Washington Post via Getty Images) (The Washington Post via Getty Images)

“Mr. Zatko’s allegations of widespread security failures and foreign state actor interference at Twitter raise serious concerns,” Senators Dick Durbin (D-IL) and Chuck Grassley (R-IA) said in a statement announcing the hearing last month. “If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world.”

Among his allegations, Zatko says that 30% of Twitter employee devices had software and security updates disabled, and that Twitter never installed management software on employees’ smartphones that had access to corporate systems.

If true, Zatko’s claims paint a picture of a major technology firm that doesn’t follow even the most basic cybersecurity rules.

Twitter characterized Zatko’s allegations as false and lacking context.

“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” a Twitter spokesperson said in an email to Yahoo Finance.

The Musk angle

The hearing comes against the backdrop of Twitter’s legal battle seeking to stop (TSLA) CEO Elon Musk from backing out of purchasing the social network for $44 billion.

Musk — who agreed to buy Twitter in April for $54.20 per share — said he was pulling out of the deal in July. He said he could no longer go through with it because Twitter refused to turn over data regarding how many bots are on the social network.

For years, Twitter has said that less than 5% of its monetizable daily active users mDAUs are bots. MDAUs is a measure of users that Twitter promotes to advertisers as an estimate of the human account-holders who are engaging with its platform. The number, which Twitter has said could be higher than estimated, is meant to be a subset of the total number of users on the platform that excludes bot accounts.

FILE - Tesla and SpaceX Chief Executive Officer Elon Musk speaks at the SATELLITE Conference and Exhibition in Washington on March 9, 2020. An epic legal fight between Musk and Twitter began in earnest in a Delaware court on Tuesday, July 19, 2022, as lawyers for both sides fought over when to start the trial. (AP Photo/Susan Walsh, File)
Zatko's testimony could impact Tesla CEO Elon Musk's attempt to get out of deal to buy Twitter. (AP Photo/Susan Walsh, File) (ASSOCIATED PRESS)

Musk contends that as many as 20% or more of Twitter’s mDAUs are bots; the face-off is now headed to a trial in a Delaware Chancery Court scheduled to begin Oct. 17.

Zatko could play a role in that dustup, too. In addition to his claims about Twitter’s security posture, Zatko says that Twitter’s executives disincentivized employees from looking into how many bots are on the platform and pushed to grow the total number of mDAUs.

Importantly, Zatko doesn’t challenge Twitter’s claim about bots making up less than 5% of mDAUs. Instead, he says because the company discourages employees from vetting bot numbers, it doesn’t know how many of the platform's total users are bots. That could throw a wrench into Twitter’s bid to force Musk to buy the company, litigation attorneys say.

Perhaps still more damaging for Twitter is the $7.75 million severance agreement the social media company paid to Zatko when it fired him in June. According to Musk, under the terms of the April purchase agreement, Twitter needed to inform Musk before making severance payments to employees that were outside of the normal course of business.

If Musk can prove that the payment wasn’t part of normal business, he may bolster his argument that the Delaware court should void the contract for his purchase of Twitter.

In a court filing responding to Musk’s amended justifications for backing out of the deal, Twitter says the payment doesn’t impact the purchase agreement.

Zatko will likely address his severance payment, as well as his time at the social network, during his testimony before the Senate Judiciary Committee on Tuesday.

Got a tip? Email Daniel Howley at dhowley@yahoofinance.com. Follow him on Twitter at @DanielHowley.

Alexis Keenan is a legal reporter for Yahoo Finance. Follow Alexis on Twitter @alexiskweed.

Click here for the latest technology business news, reviews, and useful articles on tech and gadgets

Read the latest financial and business news from Yahoo Finance

Download the Yahoo Finance app for Apple or Android

Follow Yahoo Finance on Twitter, Facebook, Instagram, Flipboard, LinkedIn, and YouTube

Advertisement