The Inquirer-Home

GCHQ blames plain text password blunder on legacy system

Says it has plans to replace it
Thu Mar 28 2013, 17:14
Security threats - password theft

UK SPY AGENCY GCHQ could do with a taste of its own dogfood if its information systems are anything to go by.

The agency has been sending out user passwords in plain text over email, which is a big blunder in information security circles, and why is it doing this? Because it is using a legacy system, it said. Which means that it has been doing this for years.

"The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it," a GCHQ spokesman told The INQUIRER. "We are working with our supplier to achieve this."

The current applicant tracking system proved to be more Mr Bean than Mr Bond earlier this year when a student asked it to remind him of his password.

No problem, it probably said, here it is in plain text in an email that also exposes your user name.

This, folks, is a major security vulnerability. It makes the GCHQ look pretty stupid in the area of information systems security. After all, that's supposed to be precisely its area of expertise.

Our student friend, Dan Farrall said that he informed the agency of its gaffe last January, and hasn't heard anything back from the organisation. He said he checked that it's still an issue, and whaddya know, it is.

"For those that don't think this matters, bear in mind the type of information you're submitting to these online applications," he warned. "Names, dates, family members information, passport numbers, housing information. With this type of information identity theft is a major concern." µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?