In charges released Wednesday, the Justice Department accused two former Twitter employees, Ahmad Abouammo and Ali Alzabarah, of abusing their internal system privileges to spy on target users and pass the information they collected to Saudi Arabia. The criminal complaint also alleges that it was trivial for them to do so—a chilling reminder of how much damage an insider can cause.
The court documents, first reported by The Washington Post, also reference a third suspect, Ahmed Almutairi, who allegedly worked as an intermediary between the Twitter insiders and the Saudi government. Alzabarah and Almutairi are both Saudi citizens, while Abouammo is a United States citizen. He was arrested in Seattle on Tuesday.
Alzabarah joined Twitter in August 2013 as a site reliability engineer, the complaint says, and gained more responsibility over time until he could access users accounts and personal data—like phone numbers and IP addresses—as part of his job. He also allegedly developed relationships with Saudi intelligence agents during this time, and is accused of looking up private information from more than 6,000 Twitter accounts, including those of dissidents and political activists, on Saudi Arabia’s behalf over the course of a few months in 2015. Saudi Arabia is known for aggressively exerting influence and tracking detractors on social media. Crown Prince Mohammed bin Salman and his regime have also fostered close ties to Silicon Valley.
“Insiders can do major damage and often go undetected for large periods of time.”
Dave Kennedy, TrustedSec
The Justice Department alleges that Abouammo accessed data from three user accounts, at least one of which was that of an outspoken critic of the Saudi royal family. But unlike Alzabarah, Abouammo’s role as media partnerships manager at Twitter does not necessarily seem to necessitate access to private user data. The complaint asserts that the Saudi government wired at least $300,00 to Abouammo and his family. He left Twitter in May 2015, but allegedly still attempted to get information about users from some former Twitter colleagues. Abouammo worked for Amazon after leaving Twitter, but apparently left that job over a year ago.
Twitter said on Wednesday that it appreciated the work of the Justice Department and Federal Bureau of Investigation on the case. “We recognize the lengths bad actors will go to try and undermine our service,” the social media giant said in a statement. “Our company limits access to sensitive account information to a limited group of trained and vetted employees. We’re committed to protecting those who use our service to advocate for equality, individual freedoms, and human rights.”
But the fact that even a company with the resources of Twitter was unable to head off an insider threat speaks to just how difficult they are to defend against. Most organizations are woefully under-defended against those attempts, according to multiple cybersecurity professionals WIRED spoke with Wednesday. They emphasize that the risk can never be totally eliminated, but that there are necessary data access controls and siloing efforts that many organizations overlook or implement weakly.
For example, many companies aren’t strict enough about limiting which employee accounts have “permission” or “privilege” to access sensitive data.
“Privileged access is one of the toughest things in any organization and especially in tech companies,” says Dave Kennedy, founder of TrustedSec, a cybersecurity firm that conducts so-called penetration tests, the practice of probing a system for weaknesses. “Companies are not doing enough to protect sensitive consumer data. This is a great example with Twitter. Insiders can do major damage and often go undetected for large periods of time.”
Many organizations find it difficult to prioritize the work it takes to stratify employee access to data based on specific need, a process often called provisioning. Uber infamously allowed employees access to a “God mode” that let them track users and view their account details—a feature staffers extensively abused. On the other end of the spectrum, making it more difficult for insiders to access and exfiltrate large amounts of sensitive data is possible but takes stringent, often frustrating rules. When companies grow from relaxed small businesses or startups into massive organizations, imposing those restrictive controls can be deeply unpopular among the people who work there.