WASHINGTON - Today, House Oversight and Reform Committee Ranking Member James Comer (R-Ky.) raised concerns about Twitter's lack of internal controls to protect the security of user accounts and called on Twitter CEO Jack Dorsey to provide information about what measures and employee training the company has put in place to prevent cyberattacks.
The day after the July 15, 2020 security breach, Ranking Member Comer sent a letter to Twitter demanding answers about the cyberscam that commandeered several high-profile accounts. In response, Twitter provided a briefing to the Committee but was unable to answer basic questions, including what security measures have been considered or implemented after the breach as well as basic details about employee access to user accounts and Twitter's arrangement with its contractors.
As world and business leaders frequently use Twitter to communicate with the public, Ranking Member Comer today warned that bad actors could exploit the platform to harm America's national and economic security. In the letter, Ranking Member Comer calls on Mr. Dorsey to provide the training Twitter employees are given to avoid social engineering attacks, a list of employees and contractors who have access to user accounts and all internal policies governing such access, and what steps the company is taking to avoid future breaches.
Below is the full text of the letter.
Dear Mr. Dorsey:
Thank you for providing a briefing to the Committee last week regarding the July 15, 2020 cyberscam that took place on Twitter. Your responsiveness to the Committee has been swift, and Twitter's desire to publicize information regarding the security breach is commendable. Unfortunately, during a briefing with Committee staff, Twitter was unable to answer several basic questions outlined in my July 16, 2020 letter to you, and the briefing raised many more questions than answers.
The breach of Twitter's security last month was the third major disruption in recent memory. In 2017, the President's personal Twitter feed was deleted by a disgruntled employee on his last day at Twitter. Last year, your personal Twitter feed was breached because, according to your staff, the phone company had a "security oversight." Finally, last month dozens of high-profile Twitter accounts were accessed by an individual who is not even a legal adult.
Though the sheer number of security breaches of high-profile Twitter accounts is astonishing, perhaps more astonishing is the relative unsophisticated nature of each breach. Such easy access to Twitter's internal controls is emblematic of the cavalier nature with which the company takes its security. To wit, Twitter told the Committee its employees were the real victims of last month's attacks-not those whose accounts were compromised or who lost money as a result of the cyberscam.
Even more alarming is Twitter's response to last month's breach. Twitter blamed the breach on individuals exploiting employees "working from home." Yet, despite the fact Twitter employees may be working from home forever, your staff said Twitter is "not in a post-mortem state to talk about changes" the company is thinking about making regarding additional security measures. Even though you have acknowledged Twitter "fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools," Twitter laid out for the Committee no plans to address either of these moving forward.
Twitter emphasized to the Committee it is a not a large organization, with only 4,000 employees, and had "resource constraints." But, Twitter claims, with over 160 million average daily users its users require a certain level of customer service. As such, according to one estimate, nearly 1,500 staff and contractors-a number equaling roughly 40% of Twitter's entire workforce-have the ability to "reset accounts, review user breaches and respond to potential content violations." This access serves as a "starting point to snoop on or even hack an account."
During last week's briefing, Twitter was unable to answer even basic questions about employee access to user accounts and Twitter's arrangement with its contractors. Particularly concerning to the Committee is the possibility Twitter employees and contractors have access to user IP addresses and possibly the locations of physical devices logged into a user's Twitter app profile. If true, any possible abuse or breach of this access has grave implications given that hundreds of world leaders, business elites, and other high-profile persons of interest frequently use Twitter to communicate with the public. The damage a malicious nation-state could do if they were to devote resources towards compromising Twitter's security could be grave.
Therefore, please provide the following documents to the Committee no later than 5:00 p.m. on August 18, 2020:
1) A copy of the recent training provided to all Twitter employees in the wake of last month's breach;
2) A copy of Twitter's anti-phishing guidance in place prior to last month's breach;
3) A list of all employees and contractors who have the ability to reset Twitter user passwords and/or have user level access to user accounts;
4) A description of, and as available a copy of, any internal policies and guidelines for granting a Twitter employee or contractor the ability to reset user passwords and/or have user level access to user accounts;
5) A copy of Twitter's protocols outlining the company's response to security incidents; and
6) A copy of Twitter's guidance regarding telework that applies to Twitter employees, including any additional security measures taken in the wake of last month's breach.
Thank you in advance for your cooperation with this matter.
Sincerely,
James Comer
Ranking Member
###