IOTW: Almost 50,000 UK government workers vulnerable to cyber attacks

A large number of UK government ministers and civil servants have been warned that they are vulnerable to hackers after their personal information was posted online and remained visible for months.

The personal information for more than 45,000 civil servants was available until March 2020 via the Government Communication Service (GCS) website. The information included names, email addresses, phone numbers and job titles as well as links to social media profiles including Twitter and LinkedIn. The information was removed in March 2020 due to work on the site, although The Times newspaper reported that a message on the site says the information will be “back soon”.

Concerns have been raised over the potential for the information to be used by malicious actors. In an interview with The Times, cyber security expert Richard De Vere explained that this information made government officials “prime for social engineering attacks”. When surveyed by Cyber Security Hub, 75 percent of cyber security experts said that social engineering attacks were the “most dangerous” cyber security threat to both them and their businesses.

De Vere went onto explain that ministers could face phishing attacks themselves, potentially putting their devices and data at risk. De Vere also noted that malicious actors could pose as government officials themselves by using their official mobile number and attempt to commit more sophisticated cyber attacks.

Hackers could attempt to do this either by using spoofing techniques which allow them to text and call others using an officially registered phone number (i.e., the phone number listed for a minister on the GCS database), or by creating an email address very similar to a civil servant’s and relying on the recipient to not sufficiently check the sender before replying.

Unfortunately, this is not the first time the cyber security efforts of the UK government have been called into question.

Former Prime Minister Liz Truss’ phone hacked

In late October 2022, shortly after she resigned from her position as Prime Minister, it was revealed that Liz Truss’ personal phone had been hacked while she was Foreign Secretary.

The Mail on Sunday reported that the hack had been discovered in summer of 2022, as Truss was campaigning for leadership of the Conservative party but was purposefully concealed by then Prime Minister Boris Johnson and other members of the party.

The Mail also reported that almost all the information on Truss’ phone had been accessed during the cyber attack, including up to a years’ worth of messages. These messages reportedly included personal correspondences between Truss and her international partners as well as private conversations between Truss and Kwasi Kwarteng, who would go on to serve as chancellor in her government. These messages allegedly contained confidential information, including discussions on the war in Ukraine.

The tabloid newspaper also claimed that her personal mobile phone had been “hacked by agents suspected of working for the Kremlin”, although how the hack happened was not explained.

The Mail on Sunday also alleged that Truss’ phone was “so heavily compromised” that it “had to be placed in a locked safe inside a secure government facility”. The newspaper claimed to have sources for all information reported in the article, although no sources were officially named.

When news of the hack broke, a spokesperson for the UK government declined to comment on “individuals' security arrangements” but said that there were “robust systems in place to protect against cyber threats”. The spokesperson also stated that government ministers are briefed frequently on cyber security measures and given advice on how to protect their devices and personal data.

Shadow Home Secretary Yvette Cooper spoke to Sky News about the hack, saying: “It’s why cybersecurity has to be taken so seriously by everyone across government, the role of hostile states...But [it] also [raises questions] about whether a cabinet minister has been using a personal phone for serious government business and serious questions about why this information or this story has been leaked or briefed right now.” 

There were calls to investigate the hack after it was revealed, although as of the time of writing, no formal investigation has been launched.

Former Prime Minister Boris Johnsons’ phone number available online for over a decade

In April 2021, it was revealed that then-Prime Minister Boris Johnson’s personal phone number had been freely available online for the past 15 years.

The phone number was written at the bottom of a think tank press released and published in 2006 and was never deleted. The same number appeared to be the one Johnson used for personal correspondence.

It was reported by the BBC in April 2021 that the device attached to this number “appeared to be switched off” and noted that Downing Street had yet to confirm if the number would be changed.

Following news of the issue breaking, Downing Street officials denied that Johnson had been urged to change his mobile number by senior officials. 
Labour leader Keir Starmer criticized Johnson, saying that not only was this a “serious situation [that] carries a security risk”, but that it highlighted serious questions about privileged access to government officials and “those who can WhatsApp the prime minister for favors”.

“There are also serious security questions around why and how this information has been leaked or released right now which must also be urgently investigated,” Starmer said.

Then-Chancellor of the Exchequer and now-Prime Minister Rishi Sunak defended Johnson, saying that to his knowledge, all security protocols concerning Johnson’s personal phone had been followed. He said that Johnson’s “incredibly approachable” nature was what made him “special” as a Prime Minister, and admitted he had not changed his personal phone number since being appointed as Chancellor of the Exchequer in February 2020.