Britain’s hi-tech government intelligence agency GCHQ should know better than to send passwords in plain text via email – but has been doing so due to “legacy systems”, it admitted in a statement this week.
Sending passwords in plain text via email is insecure – if the message is intercepted at any point in the transmission process, a cybercriminal could potentially gain immediate access to the system protected by that password. One applicant to the intelligence agency said, “Not really sure how we can trust somebody like that to protect us, when they are still doing stupid things like this.”
The Government Communications Headquarters is the successor to the department which cracked the German Enigma code in World War 2. One of its primary tasks is to protect against cyber threats.
The agency this week admitted that its security system emailed passwords in plain text to job applicants who had lost theirs. The error could have left the personal data of future intelligence operatives at risk. A more secure practice is that requests for lost passwords should initiate a password reset. Alternatively, a separate communication channel could be used, such as a phone call. ESET Distinguished Researcher Aryeh Goretsky has more on password resets.
In a statement, the agency said, “The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it. A very small percentage of applicants are sent a new password. This comes with clear instructions of how to protect their data.”
The error was highlighted by applicant Dan Farrall, who described his own experiences of the password reset system – and says that GCHQ has not responded to his concerns.
“After checking back today, almost 2 months later, this still has not been fixed, so I can only assume they have ignored it,” he wrote.
“For those that don’t think this matters, bear in mind the type of information you’re submitting to these online applications. Names, dates, family members information, passport numbers, housing information. With this type of information identity theft is a major concern.”
Author Rob Waugh, We Live Security