Ministers and thousands of civil servants ‘are vulnerable to hackers’ after names, email addresses and even mobile phone numbers were left online for YEARS
- Experts raised alarm over a database of contact details for 45,000 civil servants
- The information was online sparking fears that it could be used to trick ministers
- Fake messages could be sent appearing to come from senior civil servants
Ministers and large numbers of civil servants have been warned they are vulnerable to hackers after personal data was left online.
Experts have voiced alarm that ministers could be easily tricked into revealing sensitive information using a database of contact details.
Names, job titles and email addresses of 45,000 civil servants were available on the Government Communication Service (GCS) website.
The contacts were taken down in March 2020 due to work on the site, but a message insists they will return soon, according to The Times.
In 3,000 cases mobile phone numbers were included, while others featured Twitter and LinkedIn profiles.
Names, job titles and email addresses of 45,000 civil servants were available on the Government Communication Service (GCS) website
Richard De Vere, an online security expert, told The Times that the material made the government ‘prime for social engineering attacks’ – another term for human hacking (file photo)
Richard De Vere, an online security expert, told the paper that the material made the government ‘prime for social engineering attacks’ – another term for human hacking.
‘Social engineering really thrives on information: the more information you can give it, the more powerful it is,’ he said.
He warned that using the data criminals could impersonate senior civil servants and then contact ministers.
As the messages would seem to come from the civil servants’ mobile numbers, they could be enticed into clicking on links that would allow the criminals access to systems.
‘For all intents and purposes these texts come from people’s phones, so if you’ve corresponded with them before in the past, the message will just appear with the rest. We can still spoof messages very easily,’ Mr De Vere said.
Heads of department at the Cabinet Office, staff at the Ministry of Defence and the National Nuclear Laboratory, and directors at the British Council were among those included on the database.
Mr De Vere said he flagged the issue to the National Cyber Security Centre in 2019 but was told the GCS was ‘supposed to have a public directory’.
He suggested that a hacking attack on Liz Truss while she was foreign secretary could have been down to ‘social engineering’.
A government spokesman told The Times: ‘This government takes cybersecurity extremely seriously. Ministers receive regular security briefings and advice from the National Cyber Security Centre, including on protecting their personal data and mitigating cyber threats.’
Mr De Vere suggested that a hacking attack on Liz Truss while she was foreign secretary could have been down to ‘social engineering’