Did one of the UK’s top spy agencies email potential recruits’ passwords in the open?

Talk about a potential security fail. The U.K.’s Government Communications Headquarters (GCHQ) has been sending job applicants passwords to its recruitment website via unencrypted email. Why is this a potential security violation? Because plenty of personal information about those applicants is hosted inside the recruitment site. If a foreign intelligence agency broke into the recruitment ...

Wikimedia Commons
Wikimedia Commons
Wikimedia Commons

Talk about a potential security fail. The U.K.'s Government Communications Headquarters (GCHQ) has been sending job applicants passwords to its recruitment website via unencrypted email.

Why is this a potential security violation? Because plenty of personal information about those applicants is hosted inside the recruitment site. If a foreign intelligence agency broke into the recruitment page they could collect potentially useful information on GCHQ's future employees.

The kicker: GCHQ is the country's premier electronic intelligence agency -- the government's cyber security arm and the British equivalent of the National Security Agency. (To be fair, cyber spies would need to know whose email to target to get these passwords, but still.)

Talk about a potential security fail. The U.K.’s Government Communications Headquarters (GCHQ) has been sending job applicants passwords to its recruitment website via unencrypted email.

Why is this a potential security violation? Because plenty of personal information about those applicants is hosted inside the recruitment site. If a foreign intelligence agency broke into the recruitment page they could collect potentially useful information on GCHQ’s future employees.

The kicker: GCHQ is the country’s premier electronic intelligence agency — the government’s cyber security arm and the British equivalent of the National Security Agency. (To be fair, cyber spies would need to know whose email to target to get these passwords, but still.)

The problem was apparently revealed when job applicant Dan Farrall posted an email he got from GCHQ that included his password to his blog. Apparently GCHQ emailed Farrall his password after he filled out a basic ‘Forgot Your Password?’ form on the agency’s recruiting website. (You’d think, at the very least, GCHQ would require users to come up with a new password like plenty of businesses do when you forget yours. Let’s hope they add two-factor authentication soon.)

Cyber security firm Kaspersky Lab’s blog ThreatPost then wrote up what it says is the agency’s acknowledgement of the security lapse.

"The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it," the agency said, asserting that "only the very small percentage of applicants (who need their accounts reset) are sent a new password" and that those emails come "with clear instructions of how to protect their data."

The GCHQ didn’t clarify whether it was planning on implementing some sort of password reset functionality on its site in place of the password retrieval functionality it currently has in place. The agency also failed to explain how exactly it would approach its users’ privacy from here on out so it’s unclear whether it plans to salt and hash its users passwords going forward.

It looks like The U.K.’s Fort Meade has been a little bit lax on some basic cyber security procedures.

John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.

More from Foreign Policy

A Panzerhaubitze 2000 tank howitzer fires during a mission in Ukraine’s Donetsk region.
A Panzerhaubitze 2000 tank howitzer fires during a mission in Ukraine’s Donetsk region.

Lessons for the Next War

Twelve experts weigh in on how to prevent, deter, and—if necessary—fight the next conflict.

An illustration showing a torn Russian flag and Russian President Vladimir Putin.
An illustration showing a torn Russian flag and Russian President Vladimir Putin.

It’s High Time to Prepare for Russia’s Collapse

Not planning for the possibility of disintegration betrays a dangerous lack of imagination.

An unexploded tail section of a cluster bomb is seen in Ukraine.
An unexploded tail section of a cluster bomb is seen in Ukraine.

Turkey Is Sending Cold War-Era Cluster Bombs to Ukraine

The artillery-fired cluster munitions could be lethal to Russian troops—and Ukrainian civilians.

A joint session of Congress meets to count the Electoral College vote from the 2008 presidential election the House Chamber in the U.S. Capitol  January 8, 2009 in Washington.
A joint session of Congress meets to count the Electoral College vote from the 2008 presidential election the House Chamber in the U.S. Capitol January 8, 2009 in Washington.

Congrats, You’re a Member of Congress. Now Listen Up.

Some brief foreign-policy advice for the newest members of the U.S. legislature.