“Twitter seems to have neglected security for a long time, and with all the changes there is definitely risk,” said David Kennedy, CEO of the incident response company TrustedSec, who formerly worked with the NSA and the United States Marine Corps. signal intelligence unit. “There is a lot of work to be done to stabilize and secure the platform, and there is definitely an increased risk from the perspective of malicious insiders because of all the changes that are taking place. As time passes, the likelihood of an incident decreases, but the security risks and technology debt are still there.”
A Twitter breach can expose the company or users in a myriad of ways. Of particular concern would be an incident that endangers users who are activists, dissidents or journalists under a repressive regime. With more than 230 million users, a Twitter breach would also have far-reaching potential consequences for identity theft, harassment, and other harm to users around the world. And from a government intelligence perspective, the data has already proved valuable enough over the years to motivate government spies to infiltrate the company, a threat that whistleblower Zatko said Twitter was unwilling to counter.
The company was already under scrutiny by the U.S. Federal Trade Commission for past practices, and on Thursday seven Democratic senators called on the FTC to investigate whether “reported changes to internal reviews and data security practices” on Twitter violated the terms of the a 2011 settlement between Twitter and the FTC over past misuse of data.
Of course, if a breach were to happen, the details would dictate the consequences for users, Twitter, and Musk. But the outspoken billionaire may want to note that in late October, the FTC issued an injunction against online delivery service Drizly, along with personal sanctions against its CEO, James Cory Rellas, after the company disclosed the data of about 2.5 million users. . The order requires the company to have stricter policies for deleting information and minimizing data collection and retention, while requiring the same of Cory Rellas at future companies he works for.
Rob Silvers, secretary of state for policy at the Department of Homeland Security, spoke broadly about the current digital security threat landscape at the Aspen Cyber Summit in New York City on Wednesday, urging vigilance from businesses and other organizations. “I wouldn’t get too complacent. We see enough burglary attempts and successful burglaries every day that we’re off guard,” he said. “Defense is important, resilience is important in this space.”
Dan Tentler, one of the founders of Phobos Group, an attack simulation and remediation company that worked in Twitter security from 2011 to 2012, points out that while the company’s current chaos and understaffing pose pressing potential risks, the could also pose a challenge to attackers who may currently be struggling to map the organization to target employees who are likely to have strategic access or control within the company. However, he adds that the stakes are high because of Twitter’s scale and reach around the world.
“If there are still insiders inside Twitter or someone is hacking into Twitter, there probably isn’t much getting in the way of them doing what they want — you have an environment where there might not be many defenders left,” he says.