Twitter’s lack of internal security controls was such that the company was simply unable to detect agents of foreign intelligence services who had infiltrated the company, former security chief Peiter ‘Mudge’ Zatko says.
Zatko made the claims in testimony given to the Senate Judiciary Committee on Tuesday, in a hearing on Twitter’s data security practices.
Opening questions from Sens. Dick Durbin (D-IL) and Chuck Grassley (R-IA) quickly homed in on claims that Twitter faced numerous insider threats, including from employees of the Indian government. Zatko said that the Indian government was not the only national government to embed agents within the company. At least one Chinese spy was employed by Twitter, Zatko said, but the full extent to which the company was compromised could not be known.
“We simply lacked the ability to hunt for foreign intelligence agents and expel them on our own,” he said.
Zatko also reiterated claims made in his SEC disclosure, alleging that a lack of access logging in the company’s internal systems meant it was effectively impossible to see what data had been viewed by any specific employee. Within the company, there were “thousands” of unauthorized data access attempts every week, Zatko told the hearing, but it was impossible to precisely quantify.
“We simply lacked the ability to hunt for foreign intelligence agents and expel them on our own.”
The Judiciary Committee hearing marked the first time Zatko has made a public appearance since his explosive whistleblower disclosure was filed with the SEC in July and reported by CNN and The Washington Post in August.
Besides infiltration by representatives of foreign intelligence services, Zatko alleged numerous security lapses within Twitter, including lax access controls that gave around half of Twitter’s 10,000 employees the ability to view potentially sensitive user data.
After a few weeks of relative quiet, new details given to the hearing will undoubtedly put Zatko back in the spotlight. In the time since the disclosures were made, lawyers for Elon Musk sought to subpoena Zatko to present evidence in the ongoing lawsuit over whether Musk will be compelled to buy Twitter or be allowed to back out of the deal.
But new reporting from The New Yorker, published on the day of the Judiciary Committee hearing, quotes many of Zatko’s friends and former colleagues as saying that they have been offered large sums of money to take part in “interviews” about Zatko’s personality, work ethic, and leadership style.
Despite the personal discomfort, Zatko told the Judiciary Committee that he was willing to “put it all on the line” to improve security at Twitter and in the industry as a whole.
Twitter had not responded to a request for comment by time of publication.