The recent chat group leak highlights the risks of unsupervised tech use for work
Last Monday, US-based magazine The Atlantic broke the story of how its editor-in-chief got accidentally added to a group chat of top US officials where they discussed sensitive war plans.
Jeffrey Goldberg, editor-in-chief of The Atlantic, revealed on Monday that he got added to a group chat on the application Signal where top US officials, including National Security Advisor Michael Waltz and Vice President JD Vance, discussed plans to bomb Houthi targets across Yemen earlier this month.
"I have never seen a breach quite like this," Goldberg said in his article. "It is not uncommon for national-security officials to communicate on Signal. But the app is used primarily for meeting planning and other logistical matters - not for detailed and highly confidential discussions of a pending military action."
Goldberg further pointed out the potential breaches to government policy with officials discussing official business on Signal, which is not an approved app for sharing classified information, such as on national defence.
He noted that messages in the chat group were also set to disappear at least after a week, raising the potential violation of federal law that states text messages about official acts are considered records that should be preserved.
The breach is an example of how employees may be inclined to use applications or systems that are not approved by the organisation's IT department, opening the company to cybersecurity leaks and breaches.
In fact, data from Microsoft last year even revealed that 78% of users of artificial intelligence are using their own AI tools to work, with some doing so without clear guidance or clearance in place.
This behaviour isn't limited to AI, as previous research also pointed out that there may be employees using systems and devices that are not approved by their company's IT department.
This practice of "shadow IT" became much more prominent during the pandemic, where it became almost common for teams to set up their own messaging channels without the knowledge of IT.
Steven Wood, Director of Sales and Engineering at cybersecurity company Webroot, previously told HRD that if employees are unhappy with corporate-sanctioned applications, they tend to look elsewhere, which may lead them to circumvent IT procedures and practices.
Wood said that education is the best line of defence against this behaviour.
"The HR department can play a central role in ensuring end users are given the proper education and training, leveraging existing learning management systems or training processes," he previously told HRD. "Outside of training and education, HR can work together with CIOs to create policies and enforce them."
The impact of the chat group blunder of the top US officials has led to lawsuits. Nonpartisan watchdog American Oversight filed a case against the involved US officials for violations of the Federal Records Act and Administrative Procedure Act.
"This reported disclosure of sensitive military information in a Signal group chat that included a journalist is a five-alarm fire for government accountability and potentially a crime," said American Oversight Interim Executive Director Chioma Chukwu in a statement.
"Our lawsuit seeks to ensure these federal records are preserved and recovered. The American people deserve answers, and we won't stop until we get them."
Waltz held himself accountable for the Signal group chat leak.
"I take full responsibility. I built the group," he told Fox News. "We've got the best technical minds now looking at how this happened."
The chat group leak also took place days after the Pentagon warned its employees about using Signal after a "vulnerability has been identified," the National Public Radio reported.
The Pentagon, in a memo reported by NPR, claimed that "Russian professional hacking groups" are using "linked devices" features to spy on encrypted conversations.
But Signal, in a statement posted on X, said the "vulnerabilities" claim "isn't accurate."
"The memo used the term 'vulnerability' in relation to Signal—but it had nothing to do with Signal's core tech. It was warning against phishing scams targeting Signal users," the organisation said in a statement.
"Phishing isn't new, and it's not a flaw in our encryption or any of Signal’s underlying technology. Phishing attacks are a constant threat for popular apps and websites."
Signal CEO Meredith Whittaker also maintained in another post that their application is the "gold standard in private comms."
"We're open source, nonprofit, and we develop and apply e2ee [end-to-end encryption] and privacy-preserving tech across our system to protect metadata and message contents."
