UK government’s shadow IT problem exposed
Former Prime Minister Liz Truss’s phone was hacked by Russian agents listening to conversations with international allies, it has been reported. The alleged attack highlights the problem of shadow IT in the UK government, with personal devices and unauthorized messaging systems routinely used by MPs and staff. This can be exploited by cybercriminals.
The hack took place earlier this year while Truss was foreign secretary, with Russian spies believed to have accessed secret conversations with foreign governments, as well as eavesdropping on conversations between Truss and her key political ally, Kwasi Kwarteng.
The Mail on Sunday, which first reported the breach, said the phone was so heavily compromised that it is being held by authorities and stored in a secure location, citing a source familiar with the investigation. Truss continued as prime minister for 45 days after being elected leader of the Conservative Party in September, but resigned earlier this month after the disastrous mini-budget delivered by Kwarteng, then Chancellor of the Exchequer, which plunged Britain into the financial crisis. She has since been replaced by Rishi Sunak and has returned to the back benches.
Liz Truss phone hack exposes Whitehall security problems
The incident took place during the summer’s leadership competition, and it is understood that the spies intercepted a year’s worth of messages.
These include Truss and Kwarteng criticizing then Prime Minister Boris Johnson, material which security forces believe could have been used in blackmail campaigns. It is also believed to have included sensitive discussions about the war in Ukraine and arms shipments.
according to Mail on Sunday, Johnson and Simon Case, the Cabinet Office Secretary, imposed a media blackout. Truss was forced to change the phone number she had used for more than a decade.
A spokesperson for the government said so Mail on Sunday: “We do not comment on individuals’ security arrangements. The government has robust systems in place to protect against cyber threats. It includes regular security briefings for ministers and advice on protecting their personal data.”
Talking to Sky News on monday morning the government’s food minister mark spencer said: “The former prime minister was obviously hacked and the first thing you need to do in that situation is to say ‘I’ve been hacked’ and the security service will help you with that challenge.
Content from our partners
“Obviously, you don’t always know, and that’s why you have to be very careful. We’re all talking on our personal phones, and you have to be careful about what things you say on which device, and you get a lot of help and support for that.”
Spencer also drew criticism for saying a “little man in China” might be listening in on conversations between him and his wife. Opposition MPs were quick to voice their shock, with Labour’s Sarah Owen tweeting: “Mark Spencer once again shows his ignorance, on many levels.
The Truss incident comes two weeks after Home Secretary Suella Braverman was forced to resign for sending confidential information through her private Gmail account, a breach of ministerial code. Braverman has since been reinstated by Sunak, claiming the email was sent in error.
Is UK government compromised by shadow IT?
Truss and Braverman have both been compromised using shadow IT, devices and systems not approved or monitored by the technology department. This is a common problem in Whitehall, with many important conversations conducted over encrypted messaging service WhatsApp.
Last year, a minister overseeing lucrative Covid-19 contracts was accused of conducting government business on unofficial channels, on a broken phone and without documentation. In a court case brought by campaign group The Good Law Project, which sought to uncover redacted details of contracts awarded during the Covid-19 pandemic, junior health minister Lord Bethell used his personal email address to conduct government business, it has emerged, and failed to declare meetings with firms that went on to win Department of Health and Social Care contracts.
In sworn evidence, the hearing was told that Lord Bethell admitted conducting official business via WhatsApp or text message and then in December 2020 replaced his “broken” phone weeks after being told documents related to the case needed to be searched.
Data regulator the Information Commissioner’s Office then launched an investigation, finding widespread use of WhatsApp and other messaging apps across the Department of Health and Social Care (DHSC) creates “systemic risk” to the department. An ICO report found that the use of private email and messaging services left personally identifiable information (PII) on private servers without appropriate protection. The ICO said this was due to a “lack of clear controls and a rapid increase in the use of messaging apps and technologies” in the department, and called for a wider investigation into the use of private messaging services in government.
