“Twitter has seemingly neglected security for a very long time, and with all the changes, there is risk for sure,” says David Kennedy, CEO of the incident response firm TrustedSec, who formerly worked at the NSA and with the United States Marine Corps signal intelligence unit. “There’s a lot of work to be done to stabilize and secure the platform, and there is definitely an elevated risk from a malicious insider perspective due to all the changes occurring. As time passes, the probability of an incident lowers, but the security risks and technology debt are still there.”
A breach of Twitter could expose the company or users in myriad ways. Of particular concern would be an incident that endangers users who are activists, dissidents, or journalists under a repressive regime. With more than 230 million users, a Twitter breach would also have far-reaching potential consequences for identity theft, harassment, and other harm. And from a government intelligence perspective, the data has already proved valuable enough over the years to motivate government spies to infiltrate the company, a threat Zatko said Twitter was not prepared to counter.
The company was already under scrutiny from the US Federal Trade Commission for past practices, and on Thursday, seven Democratic senators called on the FTC to investigate whether “reported changes to internal reviews and data security practices” at Twitter violated the terms of a 2011 settlement between Twitter and the FTC over past data mishandling.
Were a breach to happen, the details would, of course, dictate the consequences for users, Twitter, and Musk. But the outspoken billionaire may want to note that, at the end of October, the FTC issued an order against the online ordering service Drizly and personal sanctions against its CEO, James Cory Rellas, after the company exposed the personal data of roughly 2.5 million users. The order requires the company to have stricter policies on deleting data and to minimize data collection and retention, while also requiring the same from Cory Rellas at any future companies he works for.
Speaking broadly about the current digital security threat landscape at the Aspen Cyber Summit in New York City on Wednesday, Rob Silvers, undersecretary for policy at the Department of Homeland Security, urged vigilance from companies and other organizations. “I wouldn’t get too complacent. We see enough attempted intrusions and successful intrusions every day that we are not letting our guard down even a little bit,” he said. “Defense matters, resilience matters in this space.”
Dan Tentler, a founder of the attack simulation and remediation firm Phobos Group who worked in Twitter security from 2011 to 2012, points out that while current chaos and understaffing within the company does create pressing potential risks, it also could pose challenges to attackers who could have difficulty in this moment mapping the organization to target employees who likely have strategic access or control within the company. He adds, though, that the stakes are high because of Twitter’s scale and reach around the world.
“If there are insiders left within Twitter or someone breaches Twitter, there’s probably not a lot standing in their way from doing whatever they want—you have an environment where there may not be a lot of defenders left,” he says.