You’d think that a technology company as large and influential as Twitter would be hot on the case of data privacy and cyber security. Well, recent allegations claim the opposite is true.
This week, an 84-page whistleblower report hit the headlines, featuring damning allegations about Twitter’s security practices. This is a report with weight. It was filed by Twitter’s previous cyber security lead, Peiter Zatko, who has a strong security track record and was, in fact, hired by the company to bolster its cyber defenses after it suffered a data breach in 2020.
Alas, in January of this year, Zatko’s role at the company was terminated. While Twitter alleges that his report was filed out of malice and resentment, Zatko claims that he was fired for flagging security issues that Twitter wanted to ignore.
The incredible detail of the report, combined with Twitter’s rather shoddy history in terms of security, has us leaning towards believing these allegations true. They’re also, unfortunately, relatively common cyber security errors that companies make.
To stop you from becoming the next Twitter, here are the most significant takeaways from the allegations, plus five lessons to apply to your organization’s security posture.
Recap: the Twitter Whistleblower allegations
Zatko worked at Twitter for a year and a half between 2020 and 2022. In that time, he raised numerous concerns with his colleagues about Twitter’s privacy and security risks, which threatened both citizen and government interests.
The major accusations in the report are:
- Twitter hasn’t put much effort into managing staff privileges, meaning employees have way too much access and control over company data. This is an insider threat waiting to happen.
- Allegedly, there are foreign intelligence spies on Twitter’s payroll, which puts national security at risk.
- Almost half of Twitter’s servers don’t have basic security features or run on outdated software.
- In 2010, the FTC filed a complaint against Twitter for failing to handle users’ private information securely. Zatko claims the company still isn’t compliant with this order and has lied to the FTC.
- Zatko claims that Twitter suffers an “anomalously high rate of security incidents,” but none of these are ever reported, even when they should be under the law.
- Twitter is unable to comply with user requests to delete their data, often because it’s lost track of this data completely!
- Lastly, one for Elon Musk fans! Twitter doesn’t have the resources to accurately understand how many bot accounts there are on the platform.
Five lessons from Twitter’s poor security practices
Tied together, these allegations paint the picture of a company that has grossly underestimated its responsibilities to secure and protect customer data.
It appears that, in an ambitious pursuit of growth, Twitter has forgotten about the importance of critical data governance and security practices—even basic things like patching have been left out!
As the saying goes: it’s good to learn from your mistakes. It’s better to learn from other people’s mistakes.
With that in mind, here are five lessons every organization can learn from the Twitter whistleblower report.
1) Data governance is not optional
Data governance is a strategy for managing the availability, integrity and security of your information assets (aka: data) across your organization.
A strong data governance program ensures that employees use your information efficiently and ethically while ensuring it flows securely through the business.
For organizations that work with big data, especially PII and PHI, data governance is a must.
You’d think that Twitter would be a champion of data governance—but clearly not. We speculate that the company hasn’t invested in the right tools for the job.
Solutions like Polymer DLP demystify data governance across your cloud platforms. Whether you are launching a privacy program from scratch or building compliance maturity, the tool is a great launching pad.
2) Data maps: know where your sensitive data is
A data map is the engine behind numerous enterprise data processes. It’s the processing of matching fields from several datasets into a unified, reliable schema. If you don’t properly map your data, it could become corrupt, lost or unusable.
This is exactly what happened to Twitter; it’s why the company fails to comply with deletion requests.
If you’re yet to embark on your data mapping journey, or your strategy has fallen behind, you should start again urgently. Data mapping is not only vital for security, but it makes good business sense too.
3) Employee access controls
We’re firmly in the age of zero trust, where organizations should only give employees the access privileges they need to do their jobs. An intern, for example, shouldn’t be able to access top secret files, and someone in the marketing department shouldn’t be able to change permissions to a database with customer information.
And yet, Twitter allowed just that to happen, which is terrifying for customer privacy. What’s to stop an employee from stealing customer information, committing fraud, or selling their details on the dark web?
It’s fears like this that underline the importance of putting in place dynamic, real-time access controls.
4) Security awareness and training for all employees
Cyber security is just as much about culture as controls and policies. If your employees and leaders don’t care about security, you’ll probably suffer a data breach at some point.
This was a huge issue for Twitter. Even when the whistleblower approached senior leadership about his concerns, he was ignored and, eventually, fired.
That’s why cyber security awareness and training are vital at all levels of the organization. You need your employees to understand cyber security’s importance to business success. It’s far more than just a tick-box; it’s truly a business differentiator.
5) Protect data in cloud apps
Based on Zatko’s allegations, it’s likely that Twitter’s collaboration tools look a bit like the Wild West. Sensitive data is probably stored and shared with different users haphazardly, creating a really high risk of data leakage or theft.
It’s crucial that data governance and security strategies extend protection to the cloud, to popular apps like Slack, Teams, Box and Google Drive. These apps are now where employees spend most of their time, and where sensitive data is most likely to leak from.