A former security officer at Twitter told senators on Tuesday that he learned a Chinese intelligence agent was on the social media company’s payroll a week before he was dismissed.
It was just one of a string of vulnerabilities unveiled by Peiter ‘Mudge’ Zatko, a respected cybersecurity expert.
He was hired in November 2020 after a hack that compromised high-profile accounts but was fired barely a year later.
Such were the security failings, he said he was not surprised to learn that an agent of the Chinese Ministry of State Security was operating inside Twitter.
‘I had been told because the corporate security physical security team had been contacted and told that there was at least one agent of the MSS, which is one of China’s intelligence services, on the payroll inside Twitter,’ he told a hearing of the Senate Judicial Committee.
‘While it was disturbing to hear, I and many others, recognising the state of the environment at Twitter, were really thinking if you are not placing foreign agents inside Twitter – because it’s very difficult to detect them … it is very valuable to a foreign agent to be inside there – as a foreign intelligence company, you’re most likely not doing your job.’
Twitter Inc.’s former security chief Peiter ‘Mudge’ Zatko is sworn in to testify before a Senate Judiciary Committee hearing to discuss allegations from his whistleblower complaint that the social media company misled regulators
He told senators he learned a Chinese intelligence agent was on the social media company’s payroll a week before he was dismissed, one of a string of security vulnerabilities
His warnings echo similar criticisms of other social media giants, such as Facebook, that they are not doing enough to protect user data.
And he accused executives of ignoring engineers and their concerns, putting profits ahead of security.
When he raised the problem of a foreign agent, it got short shrift.
‘I’m reminded of one conversation with an executive when I said, “I am confident that we have a foreign agent,” and their response was, “Well, since we already have one, what does it matter if we have more? Let’s keep growing the office,” Zaitko said.
Too many Twitter staff had access to sensitive data, he continued, coupled with a culture of only reporting good news.
‘They don’t know what data they have, where it lives and where it came from and so, unsurprisingly, they can’t protect it,’ he said.
‘It doesn’t matter who has keys if there are no locks.’
Zatko filed a whistleblower complaint in July with Congress, the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission.
Among his most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users.
Senators focused on his claims that foreign agents had worked inside Twitter.
Elon Musk, who is locked in dispute with Twitter, appeared to be enjoying the hearing
Sen. Chuck Grassley, the top Republican on the committee, said Zatko’s disclosures also revealed that India had managed to place two foreign assets inside the company
Sen. Chuck Grassley, the ranking Republican on the committee, said the platform had a trove of information that would be useful for adversaries.
‘Because of his disclosures, we’ve learned that personal data from Twitter users was potentially exposed to foreign intelligence agencies,’ he said in his opening statement.
‘For example, his disclosures indicate that India was able to place at least two suspected foreign assets within Twitter.
‘His disclosures also note that the FBI notified Twitter of at least one Chinese agent in the company.’
Twitter did not immediately respond to a request for comment.
But the company has previously disputed Zatko’s claims. It says he was fired for poor performance and that his complaint is ‘riddled with inaccuracies.’
However, his evidence will almost certainly be used by Elon Musk as he battles to get out of his deal to buy Twitter for $44 billion.
Zatko accused the company of deception in its handling of automated ‘spam bots’ or fake accounts – one of Musk’s key arguments.
Musk even tweeted a popcorn emoji, suggesting he was watching the live hearing.
And Sen. Lindsey Graham alluded to Musk’s bid, asking: ‘Would you buy Twitter given what you know?’