“Half of Twitter’s roughly 7,000 full-time workers have complete access to its code and user confidential data” Says its former chief security officer Peiter Zatko

Twitter executives misled federal regulators and the company’s own board about “extreme and egregious shortcomings” in its defenses against hackers and its meager efforts to combat bots, said a former chief security officer Peiter Zatko.

What happens inside Twitter?

The document describes Twitter as a chaotic and aimless company beset by infighting, unable to adequately protect its 238 million daily users, which include government agencies, heads of state and other influential public figures.

This month, a former Twitter employee was convicted of using his position at the company to spy on dissidents and critics of the Saudi government, passing his information to a close aide to Crown Prince Mohammed bin Salman in exchange for money and gifts.

Since Zatko’s departure, Twitter has been thrown further into chaos with the acquisition of Musk, which both sides agreed to in May. Share prices have fallen, many employees have quit, and Agrawal has fired executives and frozen big projects.

What does the complaint filed by the former head of security say?

The document exposes that thousands of employees continued to have extensive and poorly tracked insider access to the company’s core software, a situation that for years had led to embarrassing hacks, including account seizures of high-profile users like Elon Musk and the former presidents Barack Obama and Donald Trump.

The former security chief claims Jack Dorsey’s company flouted an 11-year settlement with the Federal Trade Commission by falsely claiming it had a robust security plan. 

A redacted version of the 84-page complaint was sent to congressional committees. The FTC is reviewing the allegations, according to two people familiar with the preliminary investigation. 

  • The text details that the company’s executives deliberately hid terrible data about the number of infractions and the lack of protection of user data, instead presenting the graphic directors in pink who measured insignificant changes.
  • Executives prioritized user growth over bots reduction because they received bonuses of up to $10 million for reaching the goal.  
  • Twitter has the email addresses and phone numbers of many public figures, as well as dissidents who communicate through the service at great personal risk, so security should be a priority.
  • Whistleblower Aid’s complaint includes allegations suggesting that Twitter’s security practices were even worse than regulators knew.
  • According to the lawsuit, about half of Twitter’s roughly 7,000 full-time workers had broad access to the company’s internal software, and that access was not rigorously controlled, allowing them to tap into sensitive data and modify how the service worked.

The fallout for Twitter

The complaint has potential implications for Twitter’s legal battle with Musk, who is trying to get out of a $44 billion deal to buy the social media platform. The settlement includes a commitment by Twitter that its statements to shareholders are accurate. 

But Musk maintains that Twitter has drastically underestimated the number of bots on its platform, a violation that should allow him to opt out without penalty. The dispute is scheduled to go to trial in Delaware Chancery Court in October.

If the allegations are proven, the company could face significant penalties, potentially hundreds of millions of dollars, said David C. Vladeck, who was director of the FTC’s consumer protection office at the time of the settlement.

Senate Intelligence Committee spokeswoman Rachel Cohen said the committee is trying to set up a meeting with Zatko to discuss the complaint in detail.