Twitter's most senior cybersecurity staffer Lea Kissner has departed the social media giant.
Kissner announced the move in a tweet on Thursday, saying they made the "hard decision" to leave Twitter, but did not say for what reason they resigned. Elon Musk completed a $44 billion takeover of Twitter two weeks ago, resulting in layoffs affecting more than half of the company and the departure of senior executives, including CEO Parag Agrawal, General Counsel Sean Edgett and Legal Policy chief Vijaya Gadde.
News of Kissner's departure was first reported by Casey Newton. Twitter's chief privacy officer Damien Kieran has also resigned, and reportedly so has chief compliance officer Marianne Fogarty, according to Newton, citing messages shared in Twitter Slack.
The departures raise regulatory questions, specifically related to who is tracking activity on the platform and making sure Twitter is reporting information and remaining compliant with existing frameworks.
"We are tracking recent developments at Twitter with deep concern," a spokesperson from the FTC said in a statement provided to TechCrunch. "No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them." Read more on what might happen at the FTC next here.
It's not immediately clear who is responsible for Twitter's day-to-day security operations following Kissner's departure. A spokesperson for Twitter did not immediately respond to a request for comment.
I've made the hard decision to leave Twitter. I've had the opportunity to work with amazing people and I'm so proud of the privacy, security, and IT teams and the work we've done.
I'm looking forward to figuring out what's next, starting with my reviews for @USENIXSecurity 😁
— Lea Kissner (@LeaKissner) November 10, 2022
We have also reached out to Kissner, Kieran and Fogarty for comment and will update this post as and when we hear more. Anyone reading this who would like to pass on more information about this or other Twitter stories can also contact us via channels here.
Kissner previously served as Twitter's head of privacy engineering and was appointed Twitter's chief information security officer (CISO) in January 2022 following the departure of security head Peiter "Mudge" Zatko and then-CISO Rinki Sethi. Mudge went on to blow the whistle to federal regulators claiming security mismanagement and lax access controls that put users' data at risk.
Twitter is currently under a 2011 agreement with the Federal Trade Commission, which accused Twitter of cybersecurity failings that allowed cybercriminals to access internal systems and user data.
The decree mandates that Twitter "establish and maintain a comprehensive information security program" to be audited every decade. It's not clear how Twitter maintains that compliance with the FTC without a company security lead in place. One employee said in a company Slack that it was for Twitter engineers to "self-certify" compliance with the FTC.
“All of this is extremely dangerous for our users,” a message quoted by Newton said. “Given that the FTC can (and will!) fine Twitter BILLIONS of dollars pursuant to the FTC Consent Order, extremely detrimental to Twitter’s longevity as a platform. Our users deserve so much better than this.”
An essay this week in the MIT Technology Review outlined how current staffing at Twitter, which laid off half its staff at the end of last week, would make operating the company and its platform unsustainable, and it feels like the wheels might be coming off even faster than critics thought they would.
Even before this the company had been facing a number of security and data protection issues. In two from earlier this year, Twitter was fined $150 million in May for violating that 2011 consent decree for misusing email addresses and phone numbers provided by users to set up two-factor authentication for targeted advertising. In August, it revealed (and patched) a security vulnerability that allowed threat actors to compile information of 5.4 million Twitter accounts, which were listed for sale on a known cybercrime forum.