Among the many damning allegations in the newly released Twitter whistleblower complaint, is the disquieting revelation that Twitter was unable to seal its production environment to guard against any potential insider threats amid the January 6 attack on the U.S. Capitol. Twitter’s former head of security Peiter “Mudge” Zatko has accused Twitter of serious cybersecurity negligence in an expansive new complaint filed with the Federal Trade Commission (FTC), U.S. Securities and Exchange Commission (SEC) and Justice Department. Among allegations that range from poor data protection to FTC violations, the complaint indicates Twitter lacked the ability to protect itself if any of its own employees went rogue.
This issue was discovered on January 6, after a violent mob attacked the U.S. Capitol Building. As a precaution, Zatko had wanted to lock down Twitter’s internal systems and found that was not an option.
Zatko said he asked the executive in charge of engineering how Twitter could seal its production environment to keep it protected from any internal threats from staff who may have supported the rioters. The complaint explains that Zatko didn’t want any employees to access or potentially damage the production environment as the Capitol attack was underway.
What he found, however, was that such a lockdown wasn’t just difficult — it was allegedly impossible.
“All engineers had access,” the complaint states. “There was no logging of who went into the environment or what they did. When Mudge [Peiter Zatko] asked what could be done to protect the integrity and stability of the service from a rogue or disgruntled engineer during this heightened period of risk he learned it was basically nothing. There were no logs, nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment,” the complaint reads.
Twitter hired Zatko in late 2020 to lead the security division following a high-profile attack that compromised the Twitter accounts of several high-profile individuals, including Joe Biden, Bill Gates and Elon Musk. During Zatko’s time at Twitter, the security professional claims to have witnessed a company that lacked basic security controls and procedures, and where around 5,000 people — or half of Twitter’s staff at the time — had been given access to “sensitive live production systems and user data” in order to do their jobs.
This goes against standard engineering and security principles, which typically lock down access to live production environments. Engineers at tech companies of Twitter’s size would normally utilize staging environments and test data, as opposed to live customer data. Twitter did not, Zatko found. Instead, he discovered that employees built, tested and developed new software directly in production with live customer data and other sensitive information, he said. In addition, much of this access wasn’t monitored or logged, the complaint indicates.
As a result of Twitter’s compromised security, Zatko says it was vulnerable to insider threats during the Capitol insurrection.
The complaint also highlights how Twitter’s lack of logging could have allowed employees to take various actions without being caught. Twitter’s issues around proper logging were already known thanks to the New York State Department of Financial Services (DFS) investigation into the July 15, 2020 hack into the Twitter accounts of cryptocurrency firms and other well-known figures. DFS had discovered that Twitter lacked adequate cybersecurity protections, including “adequate access controls and identity management, and adequate security monitoring.”
In addition, the complaint points out Twitter didn’t have a chief information security officer (CISO) at the time of the 2020 Twitter hack — then the largest hack of a social media platform in history. Zatko had flagged this in the complaint as one of the ways Twitter was in violation of its 2011 FTC Consent Order. (The FTC order had come about after multiple other security incidents in 2009 had allowed hackers to take administrative control of Twitter’s systems. Under the terms of the FTC agreement, Twitter was ordered to establish and maintain a comprehensive information security program that would be assessed by an outside auditor.)
The complaint states Twitter didn’t have either a CISO or an executive versed in information security and privacy engineering when it was attacked in 2020 — just months before the Capitol attack. The company had lost its previous security chief, Mike Convertino, in December 2019 after he left to join a cyber resilience firm, Arceo. Twitter didn’t bring on a replacement until late September 2020, when it hired Rinki Sethi, previously of cloud data management company Rubrik, to serve as CISO. That meant Twitter went for a good part of a year leading up to January 6 without a chief information security officer.
Zatko later joined Twitter in November 2020 to head security.
In the absence of a CISO, Parag Agrawal — then Twitter’s chief technology officer, now CEO — was the key decision-maker for correcting the security vulnerabilities exposed by the 2020 Twitter hack, the complaint said.
Later, both Zatko and Sethi were among those who left the company when Agrawal shook up Twitter’s executive leadership in January of this year after he took over as CEO following Jack Dorsey’s November 2021 departure. Twitter then appointed Lea Kissner as CISO on an interim basis after Sethi left.
Twitter has dismissed Zatko’s whistleblowing as a “false narrative” that’s “riddled with inconsistencies and inaccuracies,” in statements made to the press — including those provided to TechCrunch.
Agrawal has also sent this same message in a memo to company employees, included below.