Washington DC - Peiter Zatko, the former Twitter security chief turned whistleblower, told the Senate Judiciary Committee on Tuesday that the social media company’s security practices were so weak that foreign governments were able to place agents on the company’s payroll.

Zatko also told lawmakers that US regulators are unable to police technology companies, singling out the Federal Trade Commission (FTC) as being in over its head and allowing tech companies to "grade their own homework."

The US practice of slapping companies with one-time fines is "priced in" by Twitter and other technology companies as the cost of doing business, he said.

His testimony followed complaints that he filed with the FTC, the Securities and Exchange Commission (SEC), and the Justice Department. The Washington Post first disclosed his revelations last month.

It was recently revealed that the company paid Zatko $7.75 million in severance back in June. The former head of security was fired from Twitter in January for what the company claimed to be "poor performance."

Elon Musk is now citing Zatko's severance pay as a violation of the merger agreement he signed to buyout the company in April and is another reason for him calling off the deal. Twitter shareholders voted to approve the $44 billion buyout on Tuesday, and the two sides will head to court to over the deal next month. Zatko has been subpoenaed by Musk's legal team to give testimony in the case.

Despite Tuesday's hearing, Congress isn’t expected to take action to police the behavior of Twitter or other social media companies. Two Senate bills that would address data privacy for children and minors have been approved by the Senate Commerce Committee, but they haven’t received floor action.

Senate Judiciary member Amy Klobuchar cited the lack of action at the Tuesday hearing. "We have not passed one bill out of the Senate when it comes to competition, when it comes to privacy, when it comes to better funding agencies," she said. "I think we’d better be putting the mirror on ourselves."

Senate Judiciary Chairman Richard Durbin called Zatko’s allegations concerning. The area of great concern is the access of foreign governments and foreign agencies to data that American users may be providing to the platform, he said, adding that Americans have "no idea that they are vulnerable to that possibility."

In August, a former Twitter manager accused of spying for Saudi Arabia was convicted in San Francisco on six criminal counts. Prosecutors said an adviser to Saudi Arabia’s Crown Prince Mohammed bin Salman recruited Ahmad Abouammo to use his insider knowledge to access Twitter accounts and dig up personal information about Saudi dissidents.

Zatko said Twitter had few of the standard security practices used at several technology and other companies, with protocols specifying which employees have access to what computer systems and/or maintenance logs of employee activity. Thousands of engineers at Twitter have access to the company’s production system or the computer networks that host the social media platform and users’ data, he said.

Many companies create a separate network where new employees are trained, and new offerings are tested before being launched on the production system, Zatko said.

Twitter didn’t maintain logs of which engineers accessed what systems, he said. As a result, thousands of employees have access to all the information from Twitter users, making the company a rich target for intelligence gathering on users by foreign governments, Zatko said.

President Barack Obama’s Twitter account was hacked in 2009. Hackers also accessed Obama’s account in 2020 as well as those of then-presidential candidate Joe Biden, Tesla founder Elon Musk, and 100 others.

Zatko described Twitter as a company so focused on adding new users and increasing revenue that it spared no time, resources, or personnel to put security measures in place.

Twitter allowed Chinese companies that may have had ties to the government to advertise on the platform even though it is banned in China, Zatko said. Users who clicked on those ads may have exposed themselves to data collection by the Chinese companies, he said.

"Twitter was a company that was managed by risk and by crises, instead of one that manages risk and crises," Zatko said.

He added that the company’s top executives didn’t want to hear about security weaknesses.

Zatko said US federal agencies are woefully inadequate in policing tech companies, noting that the FTC in particular was unable to fully enforce a 2011 consent decree with Twitter about safeguarding users’ data.

"I think the FTC, honestly, is a little over their head ... compared to the size of the big tech companies and the challenge they have against them," he said.

Twitter was more afraid of foreign regulators — including France’s data protection agency, known as CNIL — than of the FTC, Zatko said. Unlike the FTC, which levies one-time fines, France and other foreign regulatory bodies are more likely to impose structural remedies on technology companies that could hurt bottom lines and get the attention of investors, Zatko said.

In May, the FTC fined Twitter $150 million for violating a 2011 consent decree by collecting customers’ personal information for the stated purpose of security and then exploiting it commercially.