Twitter whistleblower report holds security lessons

Twitter has been rocked this week following the release of a scathing whistleblower report by a former security executive, and experts say every company should take notice.

Peiter "Mudge" Zatko, the legendary hacker who briefly worked as Twitter's head of security, blew the whistle on internal policies at Twitter that could put it in violation of Federal Trade Commission (FTC) settlement rules and other laws.

Among the accusations made in the report was that Twitter gives many of its employees access to what should have be sensitive user data repositories and fails to properly track or delete user data.

Other portions of the report claim that private information is used for targeted ads and that executives ignored cracking down on spam and bot accounts to boost active user numbers.

Zatko's report, issued Aug. 23 in partnership with Whistleblower Aid, claims that despite his best efforts to turn things around, Twitter was mired in a toxic culture and executive dysfunction that left security policies neglected. Zatko left Twitter in January -- some 14 months after being hired by departed CEO Jack Dorsey.

While Twitter has dismissed the report as the resentful grumblings of a dismissed employee, the disclosures and accusations have rocked the technology sector. Zatko is set to testify before the Senate in September, and former Twitter suitor Elon Musk has indicated he could reference the document in his case with the company over a failed takeover.

Twitter's internal conflicts aside, the whistleblower report could also have an impact on the larger enterprise security world as a blueprint for how not to handle security policies and practices.

Ryan Slaney, a threat intelligence researcher at SecurityScorecard, told TechTarget Editorial that he was taken aback at just how careless Twitter appeared with its security policies and handling of data.

"It made me cringe; I was reading through it and thinking this can't be true," he said.

"It makes me sad to think that an organization like Twitter with so much data that is so important to people has absolutely no regard to keep it safe or delete it when they were supposed to."

Slaney and fellow SecurityScorecard researcher Ryan Sherstobitoff explained that while the described data exposures were bad for any company, they are exponentially worse given Twitter's shaky standing with the FTC.

"The fact that they didn't know whether or not the data had been deleted or even where it went is a fundamental business issue," Slaney said. "I think that they are going to be subject to a lot of fines. The FTC is not going to be happy about this."

One of the root causes of the dysfunction was attributed to conflicts at the highest ranks of the company. Mudge alleged that prior to his departure, Dorsey was largely absent or disconnected from the company and incoming Twitter CEO Parag Agrawal made clear that security would not be a priority under his reign.

Sherrod DeGrippo, vice president of threat research and detection at security vendor Proofpoint, told TechTarget Editorial that if the accusations are true, it will put both Zatko and chief information security officer Rinki Sethi in an all but impossible position.

"Any experienced CISO knows this is an untenable situation that is not sustainable," she said. "Boards and executives, especially those in CIO, CSO and CISO roles, must have the ability to honestly report on problems, knowing there is an avenue for remediation that is supported across executive leadership."

DeGrippo said that, in the end, companies should take the Twitter report as an example of the importance of keeping executive teams on the same page regarding establishing and maintaining security practices.

"Organizations simply need to take security seriously in order to avoid many of these concerns listed," she said. "That means not just implementing technical controls on security but creating a stable and healthy relationship in the executive leadership and board of director ranks."

For Slaney, the takeaway is that whether you are a small company handling sensitive records or a social networking giant dealing with open communications, data security must be the top priority.

"If you are breached, it doesn't matter if it is one piece of personally identifiable information that gets leaked -- you have to report it," he said. "Start with following the law. Privacy law is written in stone, and it needs to be taken seriously."