More lessons from the Twitter whistleblower disclosures about lax security and lax data storage that should alert employees of banks, brokerage houses, and other high-tech companies

Twitter’s former security chief Peiter Zatko will soon be testifying before Congress about his belief about Twitter’s impotent security program, and he is expected to address the issue of national security issues that was raised in his complaint. He has engendered a vast response from various voices, including Republican Senator Charles E. Grassley who stated, “If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world. European watchdogs have also responded, seeking more information after Zatko’s complaint was made public. They are concerned about private corporate and possibly state information being released.

His allegations and analysis have also resulted in a wave of commentary from other security experts decrying the vulnerable security data environment in our major banks, financial advisory companies, broker-dealers, high-tech companies, and, worst of all, data storage companies. Sitting in all of those companies is a compilation of the secrets that hostile governments dream about.

Many major companies, according to experts, are not equipped with the latest technological advances to prevent entry from outsiders or hackers. some even accept the risks, not spending adequate funds to protect the companies. But the risks are not just to clients or the banks themselves. The risks are to the sensitive infrastructure of the country, including the nuclear power plants, the power grid, delivery of critical fuel supplies and other sensitive data.

According to Zatko, the report alleges that the company lets thousands of employees — accounting for roughly half its workforce and all its engineers — work directly on Twitter’s live product and interact with actual user data.

This single fact, according to Zatko, creates a host of security problems: The potential for rogue employees to snoop on Twitter users’ information, or that a poorly coded update could make parts or all of the platform unusable, or insider threats may give outsiders significant access to Twitter’s systems in ways that would not be possible at other companies. In multiple situations, Twitter learned that employees had intentionally installed spyware on their computers at the behest of third-party organizations, according to the disclosure. How many employees may have been involved in the spyware incidents is unclear. It is also unclear whether other companies, banks, social media, and high-tech companies have similar issues, potentially opening the door to hostile instruction.

Zatko also says Twitter does not reliably delete users’ data after they cancel their accounts, sometimes because the company has lost track of the information. It has misled regulators about whether it deletes the data as it is required to do.

The greatest protections will come from individuals who report data deficiencies and hostile entrants to private data.

Jeffrey Newman is a whistleblower lawyer with the firm Newman & Shapiro. JNewman@Newmanshapiro.com 617-823-3217

#SEC #Whistleblower #DATASECURITY #Banks #Twitter