In recently filed whistleblower complaints, Peiter Zatko, Twitter’s former head of security, alleges that the company deceived regulators, investors, and its own board of directors about “extreme, egregious deficiencies” in its cybersecurity defenses.
Zatko, a hacker known as “Mudge,” served as the tech giant’s head of security from November 2020 until January 2022. In July 2022, he filed whistleblower complaints with the U.S. Securities and Exchange Commission (SEC), Federal Trade Commission (FTC), and Department of Justice (DOJ). Zatko’s whistleblower disclosure was first reported and published by The Washington Post and CNN.
In the complaint, Zatko alleges that “the corporation, CEO Parag Agrawal, particular senior executives, and members of its Board of Directors, since 2011 and on an ongoing basis, have engaged in… extensive, repeated, uninterrupted violations of the Federal Trade Commission Act by making false and misleading statements to users and the FTC about, inter alia, the Twitter’s platform’s security, privacy, and integrity.”
Zatko further alleges that Twitter engaged in “violations of SEC rules governing public companies including, inter alia, auditing requirements,” as well as “fraudulent and material misrepresentations in communications with the Board of Directors and investors, constituting securities violations.”
Zatko’s lengthy whistleblower complaint details a number of instances in which Twitter executives, including Agrawal, allegedly partook in “deliberate efforts to mislead.” For example, according to Zatko, in 2021 he prepared “comprehensive written materials to educate the Board on his findings about the company’s extensive security, privacy, and integrity problems.” Zatko alleges he was instructed not to share the materials with the Board.
Members of Congress quickly took note of Zatko’s allegations. On August 23, Senator Richard Blumenthal (D-CT) sent a letter to the FTC expressing concern over the allegations and urging the FTC to investigate the matter. Senators Chuck Grassley (R-IA) and Richard Durbin (D-IL) of the Senate Judiciary Committee say they have been in communication with Zatko about his disclosures.
Zatko is not the only recent former Big Tech employee to garner media and Congressional attention for an SEC whistleblower complaint. In 2021, former Facebook employee Frances Haugen filed SEC whistleblower disclosures alleging that the company misled investors about its handling of toxic and criminal content on its website. The legal theory that these sorts of misrepresentations are SEC violations has been deployed by several other SEC whistleblowers over the past several years.
Through the SEC Whistleblower Program, qualified whistleblowers can receive awards of 10-30% of the funds recovered by the government in a connected enforcement action. Since 2012, the SEC has awarded over $1.3 billion to over 280 whistleblowers.
Former security chief claims Twitter buried ‘egregious deficiencies’