Shareholders are suing Twitter following a whistleblower complaint and public testimony from former chief information security officer Peiter “Mudge” Zatko, claiming the company deceived investors in public disclosures about the state of their security.
The lawsuit, filed Sept. 13, the same day Zatko testified about the security problems in front of the Senate Judiciary Committee, names Twitter along with former chief executive officer Jack Dorsey, current CEO Parag Agrawal and chief financial officer Ned Segal as defendants.
According to the complaint, the shareholders argue that Twitter knew its security practices were deficient, putting user and advertiser information at risk and cite filings to the Securities and Exchange Commission between 2020 and 2022 that note “security incidents … may expose us to a risk of loss of this information, litigation, increased security costs and potential liability.”
Such a breach — whether actual or perceived — could have a negative impact on the market’s perception of the company’s security posture, harm users and advertisers and decrease trust in the overall product.
“Twitter knew about security concerns on their platform; Twitter actively worked to hide the security concerns from the board, the investing public, and regulators; contrary to representations in SEC filings, Twitter did not take steps to improve security; Twitter’s active refusal to address security issues increased the risk of loss of public goodwill; and as a result, Defendants’ statements about Twitter’s business, operations, and prospects, were materially false and misleading and/or lacked a reasonable basis at all relevant times,” the complaint states.
The bulk of the evidence put forth by the plaintiffs are drawn from Zatko’s whistleblower complaint, which alleged that Twitter’s leadership misled its own board about security vulnerabilities, could not locate much of the data they collected and stored around users and, as a result, needed to provide broad administrative access to software engineers and developers.
That left that data exposed to phishing and other credential-based attacks, like the kind that took place in 2020 when teenage hackers were able to hijack an administrative account and take control of high-profile Twitter accounts to advertise a cryptocurrency scam. Zakto also said that the company’s lack of data center redundancy put it at risk of disruptions and shutdowns.
The day Zatko’s complaint was made public, Twitter’s stock price dropped by 7%.
Further, the shareholders claim that prior to Zatko’s disclosures, Twitter should have already been on notice that its security practices were going to be under scrutiny due to a 2011 consent decree with the Federal Trade Commission that required it to put a robust information security program around non-public user information and required the company to undergo biennial security audits.
“As a result of Defendants’ wrongful acts and omissions, and the precipitous decline in the market value of the Company’s common shares, Plaintiff and other Class members have suffered significant losses and damages,” the complaint states.
The core argument by the plaintiffs — that Twitter’s public statements to the SEC and investors demonstrate that they knew deficient security would be bad for business and led to shareholders paying for artificially inflated stock prices — is similar to what SolarWinds shareholders have claimed in their own lawsuit following the massive Orion software supply chain breach that compromised at least nine federal agencies and at least 100 private companies.
Earlier this year, a judge declined a request by SolarWinds and its private equity owners to dismiss the suit, saying shareholders had sufficiently demonstrated that CISO Tim Brown and the company acted with “at least, severe recklessness” when touting the company’s security environment in media interviews and public filings.
Tyson Benson, an attorney with ZF Group, told SC Media that based on the complaint, the shareholders appear to be arguing that even as Twitter hired Zatko as head of security and were receiving new insights into the porous state of its cybersecurity, the substance in SEC disclosures remained the same, using language this year that was identical to previous years’ filings.
One chief difference between this and the SolarWinds lawsuit: whereas SolarWinds argued that there was no proof that previous warnings about security holes made by a consultant prior to the Orion breach made it up to the CEO and other leadership, Zatko was Twitter’s chief security official and his complaint makes it clear his concerns were relayed to the highest levels of the company.
“What has happened is because of the Zatko congressional hearing — it put a spotlight on … all of these filings and what the plaintiffs are alleging is, ‘Hey, none of this information found its way into these reportings that are required from SEC — and so because of this active neglect or behavior … that consumers and stock investors were not properly being brought up to date on the actual security environment at Twitter,’” said Benson.
The 2011 consent decree with the FTC may add to that argument and help “set the stage” for shareholders to demonstrate previous bad security, but ultimately Benson said the Twitter lawsuit will need to clear a similar bar, proving that company officials were aware that shortcomings listed in the whistleblower complaint made their previous SEC disclosures inaccurate and that they intended to deceive the government and public with identical statements this year.
“What the plaintiffs would be saying is at each time they’re re-using the same statement, and even after Mudge came forward, nothing has changed in this statement,” said Benson.
Correction: A previous version of this story misidentified Peiter Zatko as the chief information security officer at Twitter. Zatko was the company's security lead, reporting directly to the CEO.