Shannon Roddel | November 11, 2019
Federal prosecutors Wednesday (Nov. 6) charged two former Twitter employees — a Saudi national and a U.S. citizen — with spying on behalf of Saudi Arabia.
The Justice Department alleges the individuals used their access at the social media giant to gather sensitive and nonpublic information on dissidents of the Saudi regime. Cybersecurity and privacy expert Mike Chapple, associate teaching professor of information technology, analytics and operations at the University of Notre Dame’s Mendoza College of Business, says Twitter failed to live up to industry-standard cybersecurity practices.
“Both of the accused accessed information about private individuals that they had no legitimate need to view as part of their job responsibilities,” says Chapple, a former computer scientist with the National Security Agency. “One of the two employees worked as a site reliability engineer responsible for keeping the Twitter platform up and running. His job did not involve accessing individual user accounts, yet he managed to access the personal information of over 6,000 individuals of interest to the Saudi government, apparently without drawing any attention from Twitter’s cybersecurity team.”
Chapple notes this was a significant violation of the principle of least privilege, a long-standing security paradigm stating that any employee should only have the minimum level of access necessary to carry out their job function. “If Twitter had implemented this principle,” he says, “the misappropriation of information would not have been possible.”
Read more here.