Twitter Auditors Missed Lapses Later Exposed by Whistleblower

A previously undisclosed government-ordered audit of Twitter Inc.’s privacy and data controls missed failures later exposed by a whistleblower -- raising questions about oversight of major technology platforms.

The 2021 external audit, obtained by Bloomberg News in response to a public records request, concluded that the company had appropriate safeguards. Months later, the company’s cybersecurity chief had left and alleged that Twitter’s practices were marred by “egregious deficiencies.”

Ernst & Young LLP certified that Twitter’s information security program was appropriate for the company’s size and that its “security controls meet or exceed the protections required” by the US Federal Trade Commission under a 2011 consent decree. The whistleblower, Twitter’s ex-head of cybersecurity, Peiter Zatko, filed a complaint and testified before Congress earlier this year saying that the company was a “ticking bomb of security vulnerabilities.”

It’s not the first time that an FTC-ordered audit has neglected to uncover security weaknesses. FTC-ordered audits of Meta Platforms Inc.’sFacebook in 2015 and 2017 failed to identify the problems with the social media company that led to the Cambridge Analytica data breach. Uber Technologies Inc. and Alphabet Inc.’s Google are also subject to FTC orders.

Twitter’s practices are in the spotlight again amid an exodus of its security team and the FTC expressing concern about the company under new owner Elon Musk, who has fired thousands of employees and introduced new products and policies at a breakneck pace. Three of the company’s top privacy and security officials resigned this week.

Ernst & Young declined to comment on the audits, citing client confidentiality. Twitter didn’t respond to requests for comment for this story. It previously denied Zatko’s allegations, saying they are are “riddled with inconsistencies and inaccuracies,” and that access to data is controlled by monitoring systems and background checks.

Peiter Zatko, Twitter’s former security chief, at a Senate Judiciary Committee hearing on Sept. 13, 2022

Photographer: Eric Lee/Bloomberg

Even though Musk took the company private last month, Twitter is still subject to FTC oversight under the consent order through at least 2042, meaning that any changes to the company’s privacy and data policies and new product offerings are subject to scrutiny by the agency.

The FTC said in a statement Thursday that it’s tracking recent developments at Twitter with “deep concern.”

“No CEO or company is above the law, and companies must follow our consent decrees,” FTC spokesperson Douglas Farrar said. “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”

The FTC has been scrutinizing Twitter’s privacy and data-security compliance for more than a decade, requiring it to submit to independent audits every other year. The 2011 consent order resolved allegations that Twitter had failed to adequately protect user data in a 2009 hack of the social media platform that allowed intruders to send out phony messages from any user account.

Twitter in May paid a $150 million penaltyfor violating the order by misusing email addresses provided for security purposes. The agency said Twitter used the emails for targeted advertising from 2013 to 2019.

Known by his hacker name “Mudge,” Zatko joined Twitter in late 2020 at the behest of former Chief Executive Officer Jack Dorsey to help address security concerns. He was fired in January 2022 over what the company said were performance shortcomings.

In Senate testimony in September, Zatko criticized the FTC’s oversight of Twitter, comparing it to “letting companies grade their own homework.”

“The FTC is a little over their head,” Zatko told senators. “Foreign regulators were much more feared than the FTC.” He said the security lapses were so grave that they threatened national security and were dangerous for users.

Recent Actions

The agency, in a statement to Bloomberg News, said: “It’s clear from recent enforcement actions that the FTC is not afraid to take companies and their executives to court to protect the public and vindicate our orders.”

Much of the 2021 audit, which covers the period from Sept. 13, 2019 to Sept. 12, 2021 is redacted. A representative for Zatko said he couldn’t comment on whether he was among those interviewed as part of the audit because he is legally barred from discussing his whistleblower complaint except with Congress or other federal agencies that received it.

--With assistance from Kurt Wagner.

To contact the reporters on this story:
Leah Nylen in Washington at lnylen2@bloomberg.net;
Jason Leopold in Los Angeles at jleopold15@bloomberg.net

To contact the editors responsible for this story:
Sara Forden at sforden@bloomberg.net

Jon Morgan

© 2022 Bloomberg L.P. All rights reserved. Used with permission.