A former Twitter security chief has claimed the social network misled US regulators over its cyber security defences and fake accounts, allegations that threaten to hamper the company’s legal effort to stop Elon Musk reneging on a $44bn buyout deal.
Peiter Zatko, known in cyber security circles as “Mudge”, was fired by Twitter at the beginning of this year. He was brought in by former chief executive Jack Dorsey in the wake of a major and embarrassing hack on the company in July 2020.
According to Whistleblower Aid, a non-profit legal group representing Zatko, Twitter’s former security lead last month filed a complaint to the US Securities and Exchange Commission, Department of Justice and Federal Trade Commission as well as members of Congress.
Zatko alleged that Twitter violated an agreement with the FTC regarding cyber security precautions and accused the company of deception around the detection and deletion of fake or spam accounts — including those that may have been used for foreign interference or misinformation.
The dispute over the prevalence of fake accounts on the network is at the heart of Musk’s attempt to cancel his deal to buy the company. The billionaire Tesla chief executive has claimed independent analysis shows the company has grossly understated the problem in financial filings.
Details of the leaked complaint were first reported by The Washington Post and CNN. Zatko told the Post he had been “ethically bound” to make his disclosures.
Zatko also alleged that Twitter had foreign agents on its payroll with “direct unsupervised access to the company’s systems and user data”. Earlier this month, a Twitter employee was found guilty in a San Francisco federal court of spying for Saudi Arabia by passing on the personal information of users criticising the country’s rulers.
Twitter said Zatko had been dismissed from the company because of “ineffective leadership and poor performance”.
The company added: “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.
“Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”
Twitter’s share price fell roughly 5 per cent during early afternoon trading in New York.
Democrat Richard Blumenthal, who chairs the Senate commerce committee, wrote to FTC chair Lina Khan on Tuesday demanding an investigation into the whistleblower’s claims: “If the Commission does not vigorously oversee and enforce its orders, they will not be taken seriously and these dangerous breaches will continue.”
The FTC declined to comment, and the SEC and DoJ did not immediately return a request for comment. The Senate intelligence committee said members were “in the process of setting up a meeting to discuss the allegations in further detail. We take this matter seriously.”
Whistleblower Aid — which previously represented Facebook whistleblower Frances Haugen — said that Zatko had no further comment. The group added he would “of course honour” any subpoenas.
Alex Spiro, a lawyer representing Musk, said: “We have already issued a subpoena for Mr Zatko, and we found his exit and that of other key employees curious in light of what we have been finding.”
On Monday, Musk’s legal team issued a subpoena to Dorsey, who stepped down as Twitter’s chief executive in November, seeking any communications between him and executives regarding how fake accounts had been handled, as well as its calculations of “monetisable” users. The case is headed for trial in October in the Delaware Court of Chancery.
“Zatko’s allegations do seem to resemble some of the issues that Musk has raised about why he no longer wants to purchase Twitter,” said Carl Tobias, a professor at the University of Richmond’s law school. “How reliable and relevant Zatko’s account is remains unclear — more discovery as each side assembles its case may help.”
Additional reporting by Kiran Stacey in Washington