Digital Transformation

GCHQ left embarrassed after password blunder

Plain text reminders have been used at GCHQ even though they may pose a big risk to individuals and the organisation itself.

Intelligence agency GCHQ has been left red-faced after it was revealed to have made a major blunder in data protection.

The mistake was brought to light by a blogging member of the public who applied for a job with the organisation.

Dan Farrall forgot his log-in details so filled in a form to have his password sent to him by email.

However, when it arrived, he noticed it was a plain text reminder rather than being encrypted or salted hash.

Even more worryingly, Mr Farrall noted that GCHQ had not taken any measures to get rid of this obvious bad practice even though he alerted IT experts there about it.

He ended up being so concerned that he posted information about his experience on his blog and this has now been picked up by the world’s media.

The Register received a statement from GCHQ that said: "The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it. Only the very small percentage of applicants (who need their accounts reset) are sent a new password. This comes with clear instructions of how to protect their data."

Nevertheless, it is sure to concern thousands of people given that the organisation deals with information relating to national security.

Not only could the dangerous use of passwords result in data theft for job applicants, but it could also cause them to be put in risky situations if they do end up being employed by GCHQ.

It is important to remember that all website passwords should only ever be stored as encrypted and salted hashes – and never sent in reminder emails.

The experts at Dajon Data Management will be able to help anyone who needs to store information and is unsure about passwords and data control.

It is vital to get it right as large fines can otherwise be issued – Tesco recently fell victim to this, while Sony was also reprimanded by the Information Commissioner’s Office for failing to implement proper data protection measures.