In late August, the former head of cybersecurity at Twitter, Peiter “Mudge” Zatko, filed claims with three federal agencies stating that during his tenure at Twitter, he witnessed “egregious deficiencies, negligence and willful ignorance” concerning the platform’s security protocols.
He alleged that the company misled users, regulators, and even its own board. He also claims the government of India forced the company to employ one of its agents as a spy. The company, of course, denies the claims, but Zatko’s whistleblowing has thrown big tech cybersecurity further into the spotlight.
Twitter’s History of Compromised Security
Zatko was hired to head Twitter’s cybersecurity department following a 2020 hack in which several celebrity accounts were compromised. An investigation into the hack revealed that contractors with access to Twitter’s back-end had been spying on celebrities for years, reading their private messages and tracking their locations.
The previous year, investigators discovered that two former Twitter employees in America were acting on behalf of the Saudi Arabian government and accessing information on Saudi critics via Twitter’s internal tools. One employee was convicted last month of acting as an unregistered agent of the Saudi government.
Also that year, Twitter mistakenly used the phone numbers and email addresses provided for two-factor identification for ad targeting.
Twitter Is Not Alone
Twitter is not the only big tech platform to suffer security incidents—not by a long shot.
In 2021, personal data of more than 530 million Facebook users was leaked online. In 2019, a cybersecurity expert discovered that Facebook stored millions of user passwords in plain text that thousands of employees could access. There were several other security breaches that year, including the exposure of the personal data of 267 million users on the dark web.
Instagram, YouTube, and TikTok have all had their fair share of compromises, including a leak of 235 million profiles from all three.
Three Major Threats to Data Safety Today
The question of data breaches is not if they will occur, but when they will occur. This is especially true for big tech platforms, since they hold so much information and have so much at stake. There are several issues when it comes to corporate cybersecurity:
● Insider threats from state and non-state actors
● Overconfidence in the company’s cybersecurity
● No federal regulations for reporting breach incidents
The Twitter scandal is a case in point for all the above challenges. Employing a state actor of a foreign government, executive misconduct, and misleading the board and regulators have all made appearances in Zatko’s report.
Regulations Are on the Way
The issue of federal regulations is being addressed by the SEC (U.S. Securities and Exchange Commission), which has proposed new cybersecurity reporting requirements. New standards will lay out time requirements for event reporting and cybersecurity policies and procedures, including informing investors so they understand the risk and strategy.
While new regulations are not often well-received, the greater goal is to help companies protect themselves properly, even better than they require of themselves. If big tech platforms have been breached numerous times, there is no telling how a data breach could damage small to mid-sized companies.
Of course, it is not enough to rely on reporting regulations—companies need to beware of malicious actors within and without their ranks and overconfidence in their existing security protocols.
Intefor’s Cyber Risk and Technology team helps companies and governments monitor and implement sophisticated tactics to prevent data breaches and other cyber threats. Our Enhanced Due Diligence department can be discreet when looking into employees who are suspected of being foreign state actors. Whatever your security and intelligence needs are, Interfor can meet them.