Password questions asked of GCHQ after plain text reminder is sent
Intelligence and Security Committee report highlights cyber security failings and GCHQ staffing issu
Questions have been asked on how secure GCHQ is, especially when it comes to password security.
According to a blog by Dan Farrall, a forgotten password request in January saw the password delivered in plain text. He said that he contacted GCHQ and having heard nothing back, saw that nothing had been corrected two months later.
He said: “Not really sure how we can trust somebody like that to protect us, when they are still doing stupid things like this. For those that don't think this matters, bear in mind the type of information you're submitting to these online applications: names, dates, family members information, passport numbers, housing information. With this type of information identity theft is a major concern.”
A statement issued to the Register by GCHQ, said: “The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it. Only the very small percentage of applicants (who need their accounts reset) are sent a new password. This comes with clear instructions of how to protect their data.”
Rob Sobers, technical director at Varonis, said: “Now, there are plenty of reasons why this is a ridiculously bad practice and can expose very sensitive information to the wrong people.
“It's certainly not the case that password encryption is beyond the grasp of the partner of an intelligence agency like GCHQ. In fact, in the majority of cases, there is a known solution for the security challenges we face. But the volume of data we manage, the interconnectedness of our systems, organisational bureaucracy, and frankly, people, make security much harder than it seems.
“This case in particular highlights the need to do a thorough check of your third party providers and their business practices, especially in the area of security. We have to focus on the basic 'blocking and tackling' if we stand a chance at becoming a culture of data security and privacy.”