Did one of the UK’s top spy agencies email potential recruits’ passwords in the open?
Talk about a potential security fail. The U.K.’s Government Communications Headquarters (GCHQ) has been sending job applicants passwords to its recruitment website via unencrypted email. Why is this a potential security violation? Because plenty of personal information about those applicants is hosted inside the recruitment site. If a foreign intelligence agency broke into the recruitment ...
Talk about a potential security fail. The U.K.'s Government Communications Headquarters (GCHQ) has been sending job applicants passwords to its recruitment website via unencrypted email.
Talk about a potential security fail. The U.K.’s Government Communications Headquarters (GCHQ) has been sending job applicants passwords to its recruitment website via unencrypted email.
Why is this a potential security violation? Because plenty of personal information about those applicants is hosted inside the recruitment site. If a foreign intelligence agency broke into the recruitment page they could collect potentially useful information on GCHQ’s future employees.
The kicker: GCHQ is the country’s premier electronic intelligence agency — the government’s cyber security arm and the British equivalent of the National Security Agency. (To be fair, cyber spies would need to know whose email to target to get these passwords, but still.)
The problem was apparently revealed when job applicant Dan Farrall posted an email he got from GCHQ that included his password to his blog. Apparently GCHQ emailed Farrall his password after he filled out a basic ‘Forgot Your Password?’ form on the agency’s recruiting website. (You’d think, at the very least, GCHQ would require users to come up with a new password like plenty of businesses do when you forget yours. Let’s hope they add two-factor authentication soon.)
Cyber security firm Kaspersky Lab’s blog ThreatPost then wrote up what it says is the agency’s acknowledgement of the security lapse.
"The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it," the agency said, asserting that "only the very small percentage of applicants (who need their accounts reset) are sent a new password" and that those emails come "with clear instructions of how to protect their data."
The GCHQ didn’t clarify whether it was planning on implementing some sort of password reset functionality on its site in place of the password retrieval functionality it currently has in place. The agency also failed to explain how exactly it would approach its users’ privacy from here on out so it’s unclear whether it plans to salt and hash its users passwords going forward.
It looks like The U.K.’s Fort Meade has been a little bit lax on some basic cyber security procedures.
John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.
More from Foreign Policy
No, the World Is Not Multipolar
The idea of emerging power centers is popular but wrong—and could lead to serious policy mistakes.
America Prepares for a Pacific War With China It Doesn’t Want
Embedded with U.S. forces in the Pacific, I saw the dilemmas of deterrence firsthand.
America Can’t Stop China’s Rise
And it should stop trying.
The Morality of Ukraine’s War Is Very Murky
The ethical calculations are less clear than you might think.
Sign up for World Brief
FP’s flagship evening newsletter guiding you through the most important world stories of the day. Delivered weekdays.
By submitting your email, you agree to the Privacy Policy and Terms of Use and to receive email correspondence from us. You may opt out at any time.