“Twitter has seemingly neglected security for a very long time, and with all the changes there’s certainly a risk,” says David Kennedy, CEO of incident response firm TrustedSec, who formerly worked at the NSA and the United States Marine Corps signals intelligence unit. “There is still work to be done to stabilize and secure the platform and there is definitely an increased risk from a malicious insider perspective due to all the changes that are occurring. Over time, the likelihood of an incident decreases, but security risks and technology debt remain.”
Breaching Twitter could expose the company or users in myriad ways. Of particular concern would be an incident that endangers users who are activists, dissidents, or journalists under a repressive regime. With more than 230 million users, a breach of Twitter would also have far-reaching potential consequences for identity theft, harassment and other harms for users around the world. And from a state intelligence perspective, the data has already proven valuable enough over the years to motivate government spies to infiltrate the company, a threat that whistleblower Zatko says Twitter was unprepared for.
The company has already been investigated by the U.S. Federal Trade Commission for past practices, and on Thursday seven Democratic senators asked the FTC to investigate whether “reported changes in internal reviews and data security practices” at Twitter violated the terms of a 2011 settlement breached between Twitter and the FTC for past data abuse.
Of course, should a breach occur, the details would determine the consequences for users, Twitter, and Musk. But the outspoken billionaire might want to note that the FTC issued an executive order against online delivery service Drizly in late October, along with personal sanctions against its CEO James Cory Rellas, after the company disclosed the data of around 2.5 million users. The order requires the company to have stricter policies on deleting information and minimizing data collection and retention, while Cory Rellas also requires all prospective companies he works for to do the same.
At the Aspen Cyber Summit in New York City on Wednesday, Secretary of State for Policy at the Department of Homeland Security, Rob Silvers, spoke comprehensively about the current landscape of digital security threats and urged companies and other organizations to be vigilant. “I wouldn’t get too complacent. We see enough attempted intruders and successful intruders every day that we don’t let our guard down even a bit,” he said. “Defense is important, resilience is important in this space.”
Dan Tentler, founder of attack simulation and remediation firm Phobos Group, who worked in Twitter security from 2011-2012, cautions that while the current chaos and understaffing within the company creates urgent potential risks, it also At this point, potential attackers are struggling to map the organization to employees who are likely to have strategic access or control within the organization. However, he adds that the stakes are high due to Twitter’s size and reach around the world.
“If there are insiders on Twitter, or someone is taking action against Twitter, there’s probably not much stopping them from doing what they want — you have an environment where there might not be many defenders left,” he says.