A Twitter whistleblower says the social media platform is a decade behind security standards, and that its cybersecurity failures cause real harm to real people.
Former Twitter chief security officer Peiter "Mudge" Zatko, who testified before the Senate Judiciary Committee on Tuesday, noted company executives turned a blind eye to the problem while focusing on profits.
Zatko noted that after the Federal Trade Commission (FTC) ordered the firm to protect users’ private data, it failed to do so.
"What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards," he said. "The company's cybersecurity failures make it vulnerable to exploitation, causing real harm to real people."
"When I brought concrete evidence of these fundamental problems to the executive team and repeatedly sounded the alarm of the real risks associated with them -- and these were problems brought to me by the engineers and employees of the company themselves — the executive team chose instead to mislead its board, shareholders, lawmakers, and the public instead of addressing them."
The reason why this happened was that "key parts of leadership lacked the competency to understand the scope of the problem," he said, noting, on top of this, "executive incentives led them to prioritize profits over security."
Zatko said that one part of the problem is that the firm has so much information that it is hard to keep a track of what data the company has, “where it lives, or where it came from," and consequently, they "can’t protect it."
The other part is that too many Twitter employees access too much information, he stated, adding, the firm lacked a solid infrastructure for detecting who accessed what information or when.
He then elaborated on what a person could do with a Twitter user's information, saying, "This is the information that you need in order to start taking over other people's accounts."
"With your phone number and an email address, I can hijack your phone number. I can then change your Gmail, your Coinbase, your Ameritrade, your other accounts. I can cause financial harm that way. I can then assume your identity."