“Twitter has apparently neglected security for a long time, and with all the changes, there’s definitely a risk,” says David Kennedy, CEO of incident response firm TrustedSec, who previously worked at the NSA and with the Corps. of the United States Marines. signal intelligence unit. “There’s a lot of work that needs to be done to stabilize and secure the platform, and there’s definitely a high risk from an insider’s perspective from all the changes happening. Over time, the likelihood of an accident decreases, but security risks and technology debt remain.”
A Twitter breach could expose the company or users in a myriad of ways. Of particular interest would be an incident that endangers users who are activists, dissidents or journalists under a repressive regime. With over 230 million users, a Twitter hack would also have far-reaching potential consequences for identity theft, harassment and other harms. And from a government intelligence perspective, the data has already proven valuable enough over the years to motivate government spies to infiltrate the company, a threat Zatko said Twitter was unwilling to counter.
The company was already under scrutiny by the US Federal Trade Commission for past practices, and on Thursday seven Democratic senators called on the FTC to investigate whether “reported changes to internal auditing and data security practices” on Twitter violated the terms of a 2011 settlement between Twitter and the FTC for past mishandling of data.
If a breach were to occur, the details would, of course, dictate the consequences for users, Twitter and Musk. But the outspoken billionaire might want to note that, in late October, the FTC issued an order against online ordering service Drizly and personal fines against its CEO, James Cory Rellas, after the company exposed the personal data of about 2.5 million users . The order requires the company to have stricter data disposal policies and minimize data collection and retention, while requiring Cory Rellas to do the same at all future companies he works for.
Speaking extensively on the current digital security threat landscape at the Aspen Cyber Summit in New York City on Wednesday, Rob Silvers, undersecretary of policy at the Department of Homeland Security, urged vigilance from businesses and other organizations. “I wouldn’t settle too much. Every day we see enough break-in attempts and successful break-ins that we don’t let our guard down one bit,” he said. “Defense matters, resilience matters in this space.”
Dan Tentler, a founder of attack simulation and resolution firm Phobos Group who worked in Twitter security from 2011 to 2012, points out that while the current chaos and staffing shortages within the company create urgent potential risks, it could also pose challenges to attackers who may be having difficulty right now mapping the organization to target employees likely to have strategic access or control within the company. He adds, however, that the stakes are high due to Twitter’s size and reach around the world.
“If there are insiders left within Twitter or someone is hacking Twitter, there probably isn’t much to stand in the way of them doing what they want — you have an environment where there might not be many defenders left,” he says.