“Twitter was and continues to be one of the world’s most influential communications platforms.
What happens on Twitter has an outsized effect on public discourse and our culture. I believed
that improving the platform’s security would benefit not only Twitter’s millions of users, but
also the people, communities, and institutions affected by the information exchanges and debates taking place on the platform.” An excerpt from the testimony of ex-Twitter Security Chief, Peiter ‘Mudge’ Zatko, giving the Senate Panel some background as to why he finds it critical to disclose Twitter’s terrible data security posture.
In understanding Peiter’s purpose in these disclosures, Zatko’s testimony says it best:
“Upon joining Twitter, I discovered that the Company had 10 years of overdue critical
security issues, and it was not making meaningful progress on them. This was a ticking bomb of
security vulnerabilities. Staying true to my ethical disclosure philosophy, I repeatedly disclosed
those security failures to the highest levels of the Company. It was only after my reports went
unheeded that I submitted my disclosures to government agencies and regulators.
In those disclosures, I detail how the Company leadership misled its Board of Directors,
regulators, and the public. Twitter’s security failures threaten national security, compromise the
privacy and security of users, and at times threaten the very continued existence of the Company. I also detail that despite these grave threats, Twitter leadership has refused to make the tough but necessary changes to create a secure platform. Instead, Twitter leadership has repeatedly covered up its security failures by duping regulators and lying to users and investors… My genuine hope is that my disclosures help Twitter finally address its security failures and encourage the Company to listen to its engineers and employees who have long reported the same issues I have disclosed.”
The list of Twitter’s shocking security flaws includes in part:
- The ability for Twitter engineers to pose as ‘anybody’ and tweet from their accounts!
- The inability to detect whether foreign agents are on its payroll (amid claims that the FBI has warned Twitter it may have had at least one Chinese agent in the company.)
- A lack of framework or organization with regards to copious amounts of user PII.
- No access logs, accountability or visibility into employees interactions with data.
- A lack of privileged user management tools.
- A lack of separation of duties for admin and developers.
- No sound understanding for the collection or use of information.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days