- Former Twitter security head Peiter Zatko testified before Congress on September 13 as a whistleblower regarding allegations of several security failures at the company.
- Twitter’s alleged security failures included mishandling user data, having a lack of access controls in place to safeguard data, misleading the FTC, and potentially allowing foreign governments to exploit the platform to spread disinformation.
- The allegations against Twitter remain unproven, yet they are severe and offer many lessons to SMBs regarding what steps a business should take to avoid potentially disastrous cyber attacks.
- This article is for business and IT leaders who want to know what steps they can take to improve their company’s cybersecurity measures.
Twitter’s former head of security turned government whistleblower Peiter Zatko gave testimony to the Senate Judiciary Committee in September regarding multiple security, regulatory and privacy failures at the social media giant. Zatko’s testimony came after the committee subpoenaed him following his public disclosure of alleged lax security at Twitter in August. Among Zatko’s allegations were the company’s violation of numerous laws and regulations, including the mishandling of users’ personal data.
Although Zatko’s allegations have not been proven, they offer a cautionary security lesson for SMBs. Privacy concerns, handling of user info, and security vulnerabilities will only become more pressing as more U.S. states and foreign countries pass stricter data privacy regulations. With that in mind, we’ve put together the following article outlining what Twitter’s alleged failures were, what SMBs can learn from this, and what steps SMBs can take to improve their security now.
What were Twitter’s alleged security failures?
Zatko alleged a number of security failures and issues at Twitter, ranging from mishandling of customers’ private data to allegations that foreign spies and manipulators could take advantage of potential security holes at the company.
These allegations remain unproven, and Twitter’s CEO distributed an internal letter claiming Zatko’s allegations were “riddled with inconsistencies.” Twitter also reportedly said it fired Zatko for “ineffective leadership and poor performance.” Additionally, the company reportedly paid him $7 million as part of a settlement agreement that included an NDA in June 2022, according to the Wall Street Journal.
Regardless of the validity of the allegations, SMBs can still take away a number of important security lessons from the drama playing out between Zatko and Twitter today. The following alleged failures are important points all SMB IT and security teams should keep top of mind.
Mishandling user data
According to Zatko, Twitter had multiple issues properly handling and deleting user data. Twitter allegedly did not properly delete user data after users canceled their accounts. Additionally, Twitter could not account for such user data after account cancellation, and Zatko claimed the company misled the Federal Trade Commission (FTC) about user data when questioned.
Zatko also alleged Twitter mishandled active user data and was in non-compliance with a 2011 consent decree the FTC and Twitter reached after the FTC previously found Twitter failed to protect user data. According to Zatko, Twitter used phone numbers and/or email addresses that users provided only for safety and security purposes for targeted advertising. Additionally, Zatko claimed the company only understood the purpose of 20% of the user data it was collecting, and that the company did not have a full understanding of what user data it was collecting or why.
Mishandling user data is a violation of data privacy laws like the EU’s General Data Privacy Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Additionally, it exposes users to malicious actors who might seek to misuse their personal information in a number of ways, from launching scams to selling personal data on the dark web.
Lack of access controls
Zatko alleged that Twitter had a lack of security access controls in place to safeguard user data and sensitive live production systems. Twitter also did not have a development and testing environment, Zatko said, meaning any changes to the live production systems would lead to immediate changes to the commercial service. According to Zatko, approximately half of Twitter’s 10,000 full time employees had access to the data or the production systems. Zatko also alleged Twitter had no system in place to log who went into the production environments or what they may have done.
If true, this would mean that many people could have accessed private user data without cause and without anyone being aware. According to Zatko, this data contained information like user IP address, email address, the location Twitter thought a user was connecting to the service from and more.
Over half of Twitter’s servers ran on outdated software, according to Zatko. He said many of these servers could not carry out basic security best practices like supporting data encryption or vendor security updates. If true, this could potentially have made the systems unstable, as well as opening them up to potential hacks.
Lack of end-user security
Zatko alleged that over 30% of employee computers had disabled software and security updates; many of these devices also had other security features, like system firewalls, turned off, he testified. Twitter was also unable to actively monitor what employees were doing on their devices or what software they were installing, Zatko testified.
Twitter also did not have any mobile device management (MDM) solutions for employee phones, Zatko said, despite the fact that thousands of these devices were capable of accessing core company systems.
Twitter allegedly faced a range of technical and privacy security failures, which culminated in potential system instability and widespread employee access within the company to sensitive data and production environments. Zatko also claimed Twitter did not have in place any systems to log employee access to such sensitive data.
What can the Twitter security allegations teach SMBs?
Zatko’s allegations about security mishaps at Twitter remain unproven. Even so, they help illuminate many critical security areas that SMBs should be aware of within their own environments.
Put in place proper privileges
One of the largest lessons SMBs should take from these hearings is the importance of maintaining strict access controls. Lax access control measures are one of the leading causes of IT hacks. In the majority of cases, hackers can access privileged data due to companies poorly securing their environments and their accounts, as well as entrusting too many people with too much access.
In the worst cases, improper access controls can lead to large-scale data breaches, threatening a business’s reputation, cause system downtime, and leading to potential financial losses and lawsuits.
Relatedly, businesses should put in place the principle of least privilege. This principle states any application or user should be given the least amount of privilege necessary to carry out their job, and that these privileges should also be given for as short a period as possible.
Adhere to data best practices
Businesses should also take away from these hearings the importance of properly handling users’ data. User data should be kept encrypted at rest — meaning when it is sitting in a server or on a machine — as well as in transit — meaning when it is moving between machines. Even when encrypted, user data should be kept on a separate network.
User data should also be protected with strict access controls, meaning only people with specific needs should be able to access the data. All access to user data should also be properly logged.
Implement patch management
Businesses of all sizes should put in place a patch management process. This process helps IT and security teams stay on top of security updates and patches released for software and hardware used throughout the network. A proper patch management process should include a test environment where the IT team can roll out patches first to ensure they do not degrade any critical business functions.
A patch management process also helps IT teams prioritize updates. IT teams should pay extra attention to patching critical vulnerabilities, vulnerabilities that hackers are currently exploiting, and vulnerabilities in devices that may be storing critical business data, such as servers.
Rethink end-user security
Changes in the work environment and the proliferation of mobile devices have made it harder for businesses to secure end-user devices. There are no quick, easy fixes for increasing end-user security, and there is always the risk of human error, such as in the case of accidentally downloading malware or falling for a phishing email. However, businesses can help increase overall security in the long term by redesigning their networks to use a zero-trust architecture and security solutions like MDMs.
The alleged security failures at Twitter serve as a learning opportunity to SMBs. SMBs should take away from these hearings the importance of encrypting sensitive data, having strong access control policies and procedures, having a process in place to patch and update all software and hardware, as well as ensuring security programs are functioning on all employee devices.
Steps SMBs can take to improve their security now
Crafting a complete security program takes time, money and expertise. However, there are many steps SMBs can take to quickly firm up their protection of customer data and their overall cybersecurity. [Related article: How to Improve Your Small Business’s Cybersecurity in an Hour]
Businesses with dedicated IT teams can quickly improve their security by doing the following:
- Making sure to use unique, strong passwords on every account
- Whenever possible, require two-factor authentication for all accounts
- Require the use of password managers, to help generate and securely store passwords
- Use encryption to protect all sensitive user and company data
Businesses without dedicated IT teams should consider hiring a managed services provider (MSP). MSPs allow a business to outsource IT and security tasks. This can be incredibly helpful for businesses that do not have the technological knowhow or processes in place to fully safeguard their networks and user data.
When it comes to security, the most critical step a business can take is getting started. Any protections an SMB can put in place is better than nothing. And, as the allegations against Twitter show, the best time to start improving cybersecurity is yesterday.