A whistleblower complaint filed by Twitter’s former head of security alleged widespread mismanagement regarding spam and privacy issues by the social media company.
The complaint from the former head of security, Peiter Zatko, alleged that Twitter executives lied to federal regulators and its own board of directors about “extreme, egregious deficiencies” in its defenses against hackers and its efforts to reduce spam.
Among the most severe accusations by Zatko was that Twitter violated the terms of an 11-year-old agreement with the Federal Trade Commission (FTC) by falsely claiming that it had a solid security plan.
Zatko claimed he repeatedly warned colleagues that half of the company’s servers were out-of-date and running vulnerable software. He alleged that company executives withheld critical information about the frequency of data breaches and the lack of protection for users.
The complaint, a copy of which was obtained by The Washington Post, was filed last month with the U.S. Securities and Exchange Commission (SEC), the Department of Justice (DOJ), and the FTC.
It also claimed thousands of Twitter employees had wide-ranging and poorly tracked access to core company software. The complaint stated that unfettered access led to embarrassing hacks, including accounts of high-profile users such as Elon Musk and former presidents Barack Obama and Donald Trump.
The whistleblower complaint also alleged executives prioritized user growth over reducing spam and rewarded executives with cash bonuses of up to $10 million to increase the number of daily users.
The complaint asserted Twitter Chief Executive Parag Agrawal was “lying” when he said in May the company was “strongly incentivized to detect and remove as much spam as [it] possibly can.”
Zatko told the Washington Post that his decision to file the whistleblower complaint was an extension of his previous work exposing security flaws within the company.
“I felt ethically bound. This is not a light step to take,” said Zatko, who was fired by Agrawal in January.
Zatko declined to elaborate on what led to his termination from Twitter but stood by the formal complaint. Under SEC whistleblower rules, he is entitled to legal protection against retaliation and potential monetary rewards.
The complaint was also sent to lawmakers on the Senate Judiciary and Intelligence committees, who pledged to conduct their own investigations.
“If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” said Sen. Dick Durbin (D-IL), the chairman of the Judiciary Committee. “I will continue investigating this issue and take further steps as needed to get to the bottom of these alarming allegations.”
Twitter spokeswoman Rebecca Hahn told the Washington Post that “security and privacy have long been top companywide priorities at Twitter.”
She said that Zatko’s allegations were “riddled with inaccuracies” and that Zatko “now appears to be opportunistically seeking to inflict harm on Twitter, its customers, and its shareholders.”
Hahn stated that Twitter fired Zatko after 15 months in his position “for poor performance and leadership.”
The spokeswoman claimed that Twitter has improved its security extensively since 2020, that its security practices are within industry standards, and that it has specific rules about who can access company systems.
Hahn refuted Zatko’s allegations about spam, saying Twitter removes more than a million spam accounts daily, adding up to more than 300 million per year.
Twitter “fully stands by” its SEC filings and approaches to fighting spam, said Hahn.
Agrawal, the Twitter CEO, responded to the whistleblower complaint in a message to staff sent Wednesday morning obtained by CNN’s Donie O’Sullivan.
Agrawal’s message to staff read, in part:
“We are reviewing the redacted claims that have been published, but what we’ve seen so far is a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context.”