A former Twitter executive-turned-whistleblower on Tuesday portrayed the social media giant as dysfunctional when it comes to its online security and the data it collects, putting national security and some users’ safety at risk.

Testifying before the Senate Judiciary Committee, Peiter Zatko, who was Twitter’s security chief from November 2020 through January of this year, when he was fired, also said the company ignored warnings because “their executive incentives led them to prioritize profits over security.”

Zatko, who filed a whistleblower disclosure in July, said Twitter doesn’t fully know “what data they have, where it lives or where it came from. And so, unsurprisingly, they can't protect it.” He said the company was properly managing only about 20% of the user data it collected and that the rest was vulnerable to exploitation. 

He also said too many employees have access to data and critical company software, leaving the platform open to hacks and employees accessing sensitive personal information about users.

“You can think of it this way, which is it doesn't matter who has keys if you don't have any locks on the doors,” testified Zatko, who says Twitter fired him after he raised his security concerns internally. 

The former Twitter executive also said Twitter lacked a staging environment for testing — which he called an “oddity” — allowing a greater number of engineers access to the live product.  

A renowned ethical hacker widely known by his handle “Mudge,” Zatko said when he joined Twitter, the company was 10 years behind industry security standards. He also said the company lacked tools that made it easy to track log-in attempts on systems, making it difficult to investigate whether any employees might have tried to access information or software outside the purview of their work. 

“We don't log the activities of the systems. I was surprised by this,” Zatko said. “Later on in my tenure, I learned that there were thousands of failed attempts to access internal systems that were happening per week, and nobody was noticing.”

Meanwhile, he said, Twitter is a “gold mine” for foreign governments to infiltrate and that the company lacks the means to detect whether any spies are working for it.

“If you are not placing foreign agents inside Twitter  … as a foreign intelligence company, you're most likely not doing your job,” Zatko said.

In his complaint, Zatko said he believes the Indian government forced Twitter to put one of its agents on the payroll, giving them access to user data at a time of intense protests in the country. Last month, a former Twitter employee was convicted of spying for the Saudi Arabian government by sharing personal information about dissidents who used the platform.

Zatko also testified that shortly before he was fired, he was told there was at least one Chinese intelligence agent on the payroll inside Twitter. 

“If you placed somebody in Twitter, as we know has happened, it would be very difficult for Twitter to find them,” he said. “They would probably be able to stay there for a long period of time and gain a significant amount of information to provide back on either targeting people or on information as to Twitter's decisions and discussions and to the direction of the company.”

He added that Twitter was too concerned about revenue and addressing other “crises” — system disruptions or matters receiving media or government attention — to prioritize such security concerns.

“I'm reminded of one conversation with an executive,” Zatko testified. “When I said, ‘I am confident that we have a foreign agent’ and their response was, ‘Well, since we already have one, what does it matter if we have more?’ Let's keep growing the office.”

Zatko gave a chilling example of how detailed the information on users can be. When a Twitter user began harassing company executives, Zatko asked an employee to look into the user to determine if they were a serious threat, he testified. 

“It only took that person maybe 10 minutes to get back to me and said, ‘OK, here's who they are. This is the address where they live. This is where they are physically at this moment. They're on their phone.”

Zatko said Twitter has misled the public, lawmakers, regulators and even its own board of directors about its security. 

Sen. Dick Durbin, D-Ill., said most Twitter users understand they’re handing over personal information to social media companies but that they expect the companies to take precautions to protect that information.

“It's like depositing money at the bank,” Durbin said. “When you hand your money to the teller, they take it behind the counter and put it in a vault. But at Twitter, according to our witness today, the door to that vault is wide open.”

Both Democrats and Republicans on the committee expressed concern about Zatko’s allegations. Some Republicans, who believe their voices are unevenly censored on social media, attempted to steer the conversation toward Twitter’s content moderation practices, but Zatko said he was not involved in those decisions.

Asked how the government might better hold tech companies accountable about their security and data, Zatko said Twitter has essentially been allowed by federal regulators to “grade their own homework” by simply answering questions, sometimes asked by auditors the company hired itself. 

He also suggested regulators could impose stricter penalties, adding that Twitter is not concerned about one-time fines for mishandling information. And Zatko proposed that the federal government create whistleblower protection for employees still employed by tech companies.

Twitter did not immediately respond to a request for comment Tuesday. CEO Parag Agrawal declined an invitation to testify before the Judiciary Committee, citing the company’s pending sale to Elon Musk, said Sen. Chuck Grassley of Iowa, the panel’s highest-ranking Republican. 

In a previous statement, a Twitter spokesperson painted Zatko as a disgruntled former employee making untrue claims. 

“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” the spokesperson said. “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”

Zatko insisted Tuesday he did not come forward out of spite but rather out of public concern.