A whistleblower complaint from Twitter Inc.’s former head of security, claiming severe shortcomings in the social media company’s handling of users’ personal data, will have wide ramifications for the business.
US lawmakers vowed to investigate, and the legal team for Elon Musk, who is seeking to abandon his agreement to acquire Twitter, was emboldened by the claims. Twitter shares fell as much as 5% on Tuesday, the biggest intraday drop in more than a month.
The former executive, Peiter Zatko, alleged “egregious deficiencies” in Twitter’s defences against hackers and other lax approaches to security, according to a copy of the complaint reviewed by Bloomberg.
Zatko said he had warned colleagues that some of Twitter’s servers were running out-of-date software and that executives had withheld information about breaches and lack of protections for user data.
US House representatives confirmed the whistleblower complaint in a joint statement from Frank Pallone and Cathy McMorris Rodgers, the top Democrat and Republican on a House panel that received the report.
“The Energy and Commerce Committee is actively reviewing the Twitter whistleblower disclosure and assessing next steps,” they wrote.
“There are still a lot of unknowns and questions that need to be answered. Many of these allegations, if true, are alarming and reaffirm the need for Congress to pass comprehensive national consumer privacy legislation to protect Americans’ online data.”
Thousands of employees also had access to core company software, which led to hacks of high-profile users, according to the report.
The Washington Post, which first reported on the complaint along with CNN, said it was sent to the US Securities and Exchange Commission, the Justice Department and the Federal Trade Commission.
The DOJ, FTC and SEC declined to comment.
The whistle-blower document also alleged that Twitter prioritized growth over reducing the number of spam accounts, offering executives cash bonuses of as much as $10 million tied to increasing the number of daily users.
Spam and “bots” on Twitter have been a key flash point in the company’s dispute with Musk.
Musk’s lawyers also said Tuesday that they have issued a subpoena for Zatko to testify in the court battle. Legal experts said Zatko’s complaint bolsters Musk’s case.
Twitter pushed back. “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” a Twitter spokesman said when contacted for comment by Bloomberg.
“Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Twitter said Zatko was fired in January for “ineffective leadership and poor performance.” Bloomberg was unable to reach Zatko for comment. Whistleblower Aid, which represents him, said he stands by his disclosures.
“His career of ethical and effective leadership speaks for itself,” John Tye, chief disclosure officer of Whistleblower Aid, said in an emailed statement.
“The focus should be on the facts laid out in the disclosure, not ad hominem attacks against the whistle blower.”
In a memo reviewed by Bloomberg, Chief Executive Officer Parag Agrawal told employees it was likely “frustrating and confusing to read” the complaint, “given Mudge was accountable for many aspects of this work that he is now inaccurately portraying more than six months after his termination.”
Agrawal warned of further distractions and said he will address employees at a meeting Wednesday.
Musk made a reference to the claims via Twitter, with an image of the “Pinocchio” character Jiminy Cricket saying “give a little whistle,” a line from his signature song about listening to your conscience.
If Zatko’s claims are verified, Twitter would be in violation of a 2011 agreement with the FTC. Members of the Senate Judiciary and Intelligence Committees said the report presents serious claims that could impact user privacy and national security.
The budding investigation is reminiscent of congressional probe of whistle-blower allegations against Facebook, owned by Meta Platforms Inc., that first appeared in the Wall Street Journal last year.
Meta has lost more than half of its market value since that complaint was published and earnings reports suggested that the level of Facebook’s US users has plateaued.
Despite bipartisan anger at Facebook, Congress hasn’t passed any meaningful legislation to set stricter rules for internet companies.
Tech-focused antitrust bills under consideration would only apply to a handful of platforms that are larger than Twitter.
Twitter had largely escaped the ire of lawmakers in this Congress who have called representatives from TikTok, Snap and Meta-owned Instagram to testify.
But Judiciary Chair Dick Durbin on Tuesday said the reports “raise serious concerns,” and he promised to “continue investigating this issue and take further steps as needed to get to the bottom of these alarming allegations.”
“If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” said Durbin, a Democrat from Illinois.
Iowa Senator Chuck Grassley, the ranking Republican on the Senate Judiciary Committee, is one of the lawmakers who has reviewed the complaint and is working with Zatko.
Grassley said the whistle-blower claims “raise serious national security concerns as well as privacy issues, and they must be investigated further.” The Senate Intelligence Committee is also looking into Zatko’s claims, said spokesperson Rachel Cohen.
Florida Senator Marco Rubio, the ranking Republican on the Intelligence Committee, said he and his colleagues are “treating the complaint with the seriousness it deserves and look forward to learning more.”
“Twitter has a long track record of making really bad decisions on everything from censorship to security practice,” Rubio said in a statement. “That’s a huge concern given the company’s ability to influence the national discourse and global events.”
Twitter’s 2011 settlement with the FTC barred the company for 20 years from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information.”
That agreement sprang from a 2009 hack of the social media platform that allowed intruders to send out phony messages from any account, among other issues.
In May, Twitter paid $150 million to the FTC for misusing user phone numbers uploaded for security purposes to target advertising.
The use of the phone numbers breached the social media company’s 2011 consent decree where it agreed to better protect users’ personal data.
Zatko’s complaint alleges further violations of the 2011 settlement, which could open Twitter to additional potential fines.
A federal judge accepted the $150 million settlement in May, but the FTC could opt to reopen the case or file another complaint.
In his complaint, Zatko alleges that Twitter sales teams have continued to misuse phone numbers collected for security purposes for targeted advertising, that the data from users who deactivated their accounts wasn’t properly deleted and that executives misrepresented information to the FTC about the company’s privacy policies.
His complaint also alleged that Twitter didn’t properly monitor potential threats from insiders or take corrective actions when needed.
Earlier this month, a former Twitter employee was convicted of spying for Saudi Arabia, using his access to obtain personal information about the government’s critics.