Twitter has major security problems that pose a threat to its own users' personal information, company shareholders, national security, and democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.
The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform's central controls and most sensitive information without adequate oversight. It also alleges that some of the company's senior-most executives have been trying to cover up Twitter's serious vulnerabilities and that one or more current employees may be working for a foreign intelligence service.
The whistleblower, who has agreed to be publicly identified, is Peiter "Mudge" Zatko, who was previously the company's head of security, reporting directly to the CEO. Zatko further alleges that Twitter's leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking, and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users' data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do.
The whistleblower also says Twitter executives don't have the resources to fully understand the true number of bots on the platform and were not motivated to. Bots have recently become central to Elon Musk's attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk's claims).
Zatko was fired by Twitter in January for what the company claims were poor performance. According to Zatko, his public whistleblowing comes after he attempted to flag the security lapses to Twitter's board and to help Twitter fix years of technical shortcomings and alleged non-compliance with an earlier privacy agreement with the Federal Trade Commission. Zatko is being represented by Whistleblower Aid, the same group that represented Facebook whistleblower Frances Haugen.
John Tye, the founder of Whistleblower Aid and Zatko's lawyer, told CNN that Zatko has not been in contact with Musk, and said Zatko began the whistleblower process before there was any indication of Musk's involvement with Twitter.
After this article was initially published, Alex Spiro, an attorney for Musk, told CNN, "We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding."
CNN sought comment from Twitter on more than 50 specific questions regarding the disclosure.
In a statement, a Twitter spokesperson told CNN that security and privacy are both longtime priorities for the company. Twitter also said the company provides clear tools for users to control privacy, ad targeting, and data sharing, and added that it has created internal workflows to ensure users know that when they cancel their accounts, Twitter will deactivate the accounts and start a deletion process. Twitter declined to say whether it typically completes the process.
"Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance," the Twitter spokesperson said. "What we've seen so far is a false narrative about Twitter and our privacy and data security practices that are riddled with inconsistencies and inaccuracies and lack important context. Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers, and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be."
Some of Zatko's most damning claims spring from his apparently tense relationship with Parag Agrawal, the company's former chief technology officer who was made CEO after Jack Dorsey stepped down last November. According to the disclosure, Agrawal and his lieutenants repeatedly discouraged Zatko from providing a full accounting of Twitter's security problems to the company's board of directors. The company's executive team allegedly instructed Zatko to provide an oral report of his initial findings on the company's security condition to the board rather than a detailed written account, and ordered Zatko to knowingly present cherry-picked and misrepresented data to create a false perception of progress on urgent cybersecurity issues, and went behind Zatko's back to have a third-party consulting firm's report scrubbed to hide the true extent of the company's problems.
The disclosure is generally much kinder to Dorsey, who hired Zatko and whom Zatko believes wanted to see the problems within the company fixed. But it does depict him as extremely disengaged in his final months leading Twitter -- so much so that some senior staff even considered the possibility he was sick.
CNN has reached out to Dorsey for comment. A person familiar with Zatko's tenure at Twitter told CNN the company investigated several claims he brought forward around the time he was fired, and ultimately found them unpersuasive; the person added that Zatko at times lacked understanding of Twitter's FTC obligations.
Zatko believes his firing was in retaliation for his sounding the alarm about the company's security problems.
The scathing disclosure, which totals around 200 pages, including supporting exhibits -- was sent last month to a number of US government agencies and congressional committees, including the Securities and Exchange Commission, the Federal Trade Commission, and the Department of Justice. The existence and details of the disclosure have not previously been reported. CNN obtained a copy of the disclosure from a senior Democratic aide on Capitol Hill. The SEC, DOJ, and FTC declined to comment; the Senate Intelligence Committee, which received a copy of the report, is taking the disclosure seriously and is setting a meeting to discuss the allegations, according to Rachel Cohen, a committee spokesperson.
Sen. Dick Durbin, who chairs the Senate Judiciary Committee and also received the report, vowed to investigate "and take further steps as needed to get to the bottom of these alarming allegations."
Sen. Chuck Grassley, the same panel's top Republican and an avid Twitter user, also expressed deep concerns about the allegations in a statement to CNN.
"Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure, and infuse it with foreign state actors with an agenda, and you've got a recipe for disaster," Grassley said. "The claims I've received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further."
The FTC should investigate the claims, and impose fines and individual liability on specific Twitter executives if a probe finds they were responsible for security lapses, Sen. Richard Blumenthal wrote to the agency in a letter on Tuesday obtained by CNN.
The letter by Blumenthal — who chairs the Senate subcommittee on consumer protection — highlights the pressure Twitter now faces from Washington as a result of the disclosure.
"If the Commission does not vigorously oversee and enforce its orders, they will not be taken seriously and these dangerous breaches will continue," Blumenthal wrote.
Zatko may be eligible for a monetary award from the US government as a result of his whistleblower activities. "Original, timely and credible information that leads to a successful enforcement action" by the SEC can earn whistleblowers up to a 30% cut of agency fines related to the action if the penalties amount to more than $1 million, the SEC has said. The SEC has awarded more than $1 billion to nearly 300 whistleblowers since 2012.
Tye told CNN that Zatko filed his disclosure to the SEC "to help the agency enforce the laws," and to gain federal whistleblower protections. "The prospect of a reward was not a factor in Mudge's decision, and in fact, he didn't even know about the reward program when he decided to become a lawful whistleblower."
