The former Twitter security chief who has become central to Elon Musk’s attempt to back out of buying the social media company has accused its leadership of ignoring concerns over weak cyber defenses and foreign infiltration, and instead prioritising “profits over security”.
Appearing before the US Senate judiciary committee, Twitter’s ex-chief security officer Peiter “Mudge” Zatko said the social media company was “over a decade behind industry security standards” in a session that has thrust the company’s cyber security practices into the spotlight — and could shape the future of Musk’s high-stakes legal battle.
Zatko accused its executives of “misleading the public, lawmakers, regulators and even its own board of directors” over its security practices.
The former executive, who was fired by Twitter earlier this year, filed a complaint to US authorities in early July alleging that the company had misled users and regulators about its lax cyber security practices and allowed foreign intelligence infiltration of the platform. The complaint also raised concerns about bots.
The accusations have been seized upon by Tesla co-founder Musk, who is already suing Twitter in relation to his $44bn agreement to buy the company, arguing that it underestimated the number of bots on the platform and misled regulators on that matter.
Zatko’s appearance before the committee comes as the deadline for Twitter shareholders to vote on Musk’s takeover is set to pass later on Tuesday.
In his opening statement, Senator Charles Grassley said Twitter chief executive Parag Agrawal had refused to attend the hearing, claiming it would “jeopardise the ongoing litigation” with Musk. “If these allegations are true, I don’t see how Mr Agrawal can maintain his position at Twitter,” he added.
During the hearing, Zatko said central to Twitter’s security problems was that it did not “know what data they have, where it lives” and that “employees then have to have too much access to too much data”.
However, instead of addressing the issues, executives misled regulators about their compliance with a 2011 settlement with the Federal Trade Commission that ordered them to bolster their privacy and security practices, he said.
This was because they “lacked the competency to understand the scope of the problem, but more importantly, their executive incentives led them to prioritise profits over security”, he added.
A Delaware judge agreed last Wednesday to consider Zatko’s allegations as part of Musk’s case after his team asserted that, if true, they would constitute fresh grounds to cancel the deal.
Zatko has also been subpoenaed by Musk’s team to testify at the trial, which is set for early October.
Separately, Musk’s lawyers said in a letter to Twitter last Friday that the company’s $7.75mn severance payment to Zatko in June was made in breach of the merger agreement and therefore constituted “an additional basis to terminate” the deal.
According to Musk’s lawyers, the payment violated a clause in the merger agreement stating that the company should not make severance payments outside of the “ordinary course of business” without consulting Musk first.
Musk was neither notified nor asked for consent, his lawyers said, but only found out about the payment on September 3 through legal filings.
In a letter on Monday, Twitter’s lawyers dismissed the accusations around the severance payment as “invalid and wrongful”, adding that the company “intends to enforce the agreement and close the transaction on the price and terms agreed upon with the Musk parties”.
The October trial could shine a light on the inner workings of Twitter’s security practices. The company has long faced criticism for having poor controls, particularly after crypto scammers hacked the official accounts of hundreds of public figures and companies in July 2020.
Zatko, who has previously worked for the US defence department, was brought in by former Twitter chief executive Jack Dorsey in the wake of the hack.
Twitter has accused Musk of getting cold feet over the deal as tech stocks have cooled and repeatedly using “pretexts” to try to wriggle out of his commitment to buy the company.
It has argued that it is Musk who has breached the merger agreement, including violating the non-disparagement clause by repeatedly goading the company and its executives on Twitter.
Twitter’s lawyers said last week that in early 2022 Zatko had raised concerns with senior executives that the company was misleading its risk committee on cyber security matters. However, the company said that these concerns were investigated internally and “found to be without merit”.
Its lawyers also claimed that Zatko had only later started “parroting” Musk’s concerns over the separate issue of bots and spam, adding that this was not his area of expertise and “raises an eyebrow”.
Whistleblower accuses Twitter of putting ‘profits over security’ Republished from Source https://www.ft.com/content/0ba17e7c-5770-4324-9c45-7383d5dc0ba2 via https://www.ft.com/companies/technology?format=rss