Special Report: Mudge Says Weak Defenses, Privacy Risks, Foreign Agents Plague Twitter

Research and advisory firms sought to dig up dirt on Zatko, Twitter shareholder approve Musk's $44 billion deal to buy the company

Sep 13

Former Twitter security executive turned whistleblower Peiter Zatko, better known in security circles as Mudge, testified before the Senate Judiciary Committee in a highly anticipated and widely covered hearing on allegations of shoddy and almost non-existent security practices at the powerful social media company.

In his written testimony Mudge said he chose to lodge a whistleblower complaint about Twitter’s security practices because he believes “that Twitter’s unsafe handling of the data of its users and its inability or unwillingness to truthfully represent issues to its board of directors and regulators have created real risk to tens of millions of Americans, the American democratic process, and America’s national security.” He added that he also thought Twitter purposively misled regulatory agencies, violating its legal obligations in a way that he can’t ethically condone.

Mudge said he discovered after joining Twitter that “this enormously influential company was over a decade behind industry security standards. The company’s cybersecurity standards make it vulnerable to exploitation, causing real harm to real people.” He characterized Twitter’s top management as indifferent to the security problems Mudge told them about, saying they chose to mislead the board, shareholders, and public instead of addressing the issues.

“To put it bluntly, Twitter leadership ignored its engineers because key parts of leadership lacked the competency to understand the scope of the problem. But more importantly, their executive incentives led them to prioritize profits over security,” Mudge said.

Among the most damning security allegations Mudge raised is that Twitter keeps no comprehensive logs and is unaware of where data is stored, leaving the company blind regarding which of the company’s 4,000 engineers access what data and when. “They don’t know what data they have, where it lives or where it came from, and so unsurprisingly, they can’t protect it,” he told the lawmakers.

This blindness leads to another problem: “employees have too much access to too much data on too many systems.” Mudge said, “it’s not far-fetched that an employee inside the company could take over all of the accounts of all of the Senators in this room.”

Mudge also reiterated a claim from his complaint that the Indian government placed a government employee inside the company. He further said that the FBI warned Twitter shortly before Twitter summarily fired him early this year that Chinese intelligence had an agent on the payroll at Twitter. “While it was disturbing to hear, I and many others, recognizing the state of the environment at Twitter, we were really thinking if you’re not placing foreign agents inside of Twitter… as a foreign intelligence company, you are most likely not doing your job.”

Right before the hearing began, the New Yorker’s Ronan Farrow published a piece that describes a bizarre campaign, likely on behalf of Wall Street speculators, by research and advisory firms to speak with any former colleagues or connections of Zatko’s who might share insight into his thinking process, behavior and history. At least six research outfits, Gerson Lehrman Group (G.L.G.), AlphaSights, Mosaic Research Management, Ridgetop Research, Coleman Research Group, and Guidepoint, approached former colleagues of Zatko’s at Stripe, Google, and the Pentagon research agency DARPA offering to pay them whatever they asked for information on Zatko.

Finally, mere hours after Mudge testified, Twitter shareholders voted to approve Elon Musk’s $44 billion offer to acquire it for $54.20 per share, far higher than the current share price of roughly $42, despite Musk’s invocation of Mudge’s whistleblower report, among many other factors that the Tesla founder contends should invalidate his offer to buy the company.