Identity Governance Blog

7 Lessons Learned from the Twitter Whistleblower

By Andrew Silberman, Product Marketing Director at Omada

August 25, 2022

Yesterday there was a bombshell disclosure from a former Twitter senior executive, Peiter “Mudge” Zatko about potential security problems at the social media giant. We at Omada should note that there is much to be uncovered, and truth sorted from fiction and that this post strictly is providing guidance from reported claims, which have yet to be proven in a court of law. With that in mind, this report brought about several things that can be applied broadly to all organizations to ensure they avoid this type of negative headline. Here are several snippets from the report making waves, with key lessons learned and suggestions for what organizations can do to make sure they adhere to security and compliance best practices.

“The whistleblower also alleges Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do.”

“The stakes of Zatko’s disclosure are enormous. It could lead to billions of dollars in new fines for Twitter if it’s found to have violated its legal obligations.”

Lesson 1: Perhaps repeating the obvious but failing to take regulatory agencies and compliance mandates seriously can lead to huge ramifications, meaning massive fines, reputational damages, loss of trust, and more.

Lesson 2: In more specific terms, this story is another reminder of the critical nature of having processes in place to securely store customer data, including regulating who has access to this data.

“Zatko soon learned ‘it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did… Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.”

Lesson 3: Systems that house sensitive information like customer data or financial information, continue to be the most sought-after targets by bad actors, and access to them must be limited to only people that need that access as part of their everyday job functions.

Lesson 4: Organizations need to know what data they are storing and categorize data by level of criticality to ensure that access can be provisioned accordingly.

“Twitter also lacked the ability to hold workers accountable for information security lapses because it has little control or visibility into employees’ individual work computers, Zatko claims, citing internal cybersecurity reports estimating that 4 in 10 devices do not meet basic security standards.”

“About half of the company’s 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors.”

Lesson 5: Keeping people accountable is something that every organization needs checks and balances for. It is no longer acceptable to turn a blind eye to BYOD strategies in the name of productivity. Even if people are at home working, organizations need ways to ensure that all devices that enter the network have an acceptable baseline of security.

Lesson 6: Anything can be an entry point for attackers. Make sure that not only endpoints but servers and databases need to be regularly monitored and patched with the latest security updates.

“The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko’s disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.”

Lesson 7: Last, but not least, having infrastructure and applications that can be trusted to be available, redundant, and secure continues to be critical. Having a plan in place for when inevitable outages happen to ensure service continuity should also be well documented and articulated throughout the enterprise.

At Omada, we are always here to help organizations do more with identity while improving security and meeting compliance and audit requirements. In lieu of this recent news we have a few suggestions that every enterprise should consider and implement:

  1. Take a strong look at basic security hygiene. This includes patching systems and devices and encrypting data at rest and in transit.
  2. Implement the principle of least privilege by setting up role and policy-based access to ensure that people only have the access needed to perform their jobs.
  3. Enforce secure storage of data with demonstrated proof of why data is stored, and who has access to it
  4. Tag information, data, applications, and identities with tags to classify them based on risk, system type, relation to compliance, etc.
  5. Leverage certification campaigns to verify that all employees, third parties, and more are using their assigned access. Do this more frequently when evaluating critical systems and data
  6. Keep audit records of who has access to what

For more information about how Omada can help your team meet compliance and audit mandates while improving security, get in touch with us here.

Let's Get

Let us show you how Omada can enable your business.