View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 31, 2022

Liz Truss phone hack highlights Whitehall’s ‘shadow IT’ problem

MPs and staff using their own devices to conduct government business is common, and poses a security risk.

By Matthew Gooding

Former prime minister Liz Truss’s phone was hacked by Russian agents who listened in on calls with international allies, it has been reported. The alleged attack highlights the problem of shadow IT in the UK government, with personal devices and unauthorised messaging systems routinely used by MPs and staff. This can be exploited by cybercriminals.

Liz Truss’s personal phone was apparently targeted by Russian hackers. (Photo by Steve Back/Getty Images)

The hack took place earlier this year while Truss was Foreign Secretary, with Russian spies thought to have gained access to secret conversations with foreign governments as well as overhearing talks between Truss and her key political ally, Kwasi Kwarteng.

The Mail on Sunday, which first reported the breach, said that the phone was so heavily compromised that it is being held by the government and stored in a secure location, quoting a source familiar with the investigation. Truss went on to serve as prime minister for 45 days after being elected Conservative Party leader in September, but resigned earlier this month after the disastrous mini-Budget delivered by Kwarteng, then Chancellor of the Exchequer, which plunged the UK into financial crisis. She has since been replaced by Rishi Sunak and has returned to the back benches.

Liz Truss phone hack exposes Whitehall security problems

The incident took place during this summer’s leadership contest, and it is understood the spies intercepted up to a year’s worth of messages.

These include Truss and Kwarteng criticising then-prime minister Boris Johnson, material which security forces believe could have been used in blackmail campaigns. It is also thought to have included sensitive discussions about the war in Ukraine and arms shipments.

According to the Mail on Sunday, Johnson and Simon Case, the cabinet office secretary, imposed a media blackout. Truss was forced to change the phone number she had been using for more than a decade.

A government spokesperson told the Mail on Sunday: “We do not comment on individuals’ security arrangements. The government has robust systems in place to protect against cyber threats. That includes regular security briefings for ministers, and advice on protecting their personal data.”

Speaking to Sky News on Monday morning, government food minister Mark Spencer said: “The former prime minister clearly was hacked, and the first thing you’ve got to do in that situation is say ‘I’ve been hacked’ and the security service will help you with that challenge.

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

“Of course, you don’t always know, which is why you’ve got to be super-careful. We all talk on our personal phones and you’ve got to be careful which stuff you say on which device, and you get a lot of help and support for that.”

Spencer also attracted criticism for saying that a “little man in China” might be listening in to conversations between him and his wife. Opposition MPs were quick to voice their shock, with Labour’s Sarah Owen tweeting: “Mark Spencer once again showing his ignorance, on many levels.

The Truss incident comes two weeks after home secretary Suella Braverman was forced to resign for sending confidential information via her private Gmail account, a breach of the ministerial code. Braverman has since been reinstated by Sunak, and claims the email was sent in error.

Is UK government compromised by shadow IT?

Truss and Braverman have both been compromised by using shadow IT, devices and systems not approved or monitored by the tech department. This is a common problem across Whitehall, with many important conversations conducted over encrypted messaging service WhatsApp.

Last year a minister overseeing lucrative Covid-19 contracts was accused of conducting government business on unofficial channels, on a broken phone, and without any documentation. In a court case brought by campaign group The Good Law Project, which was seeking to uncover redacted details about contracts handed out during the Covid-19 pandemic, junior health minister Lord Bethell used his personal email address to conduct government business, it emerged, and neglected to declare meetings with firms that went on to win contracts with the Department of Health and Social Care.

In sworn evidence, the hearing was told that Lord Bethell admitted conducting official business via WhatsApp or text message, and then in December 2020 replaced his ‘broken’ phone weeks after being told it would need to be searched for documents related to the case.

Data regulator the Information Commissioner’s Office subsequently launched an investigation, and found that widespread use of WhatsApp and other messaging apps across the Department of Health and Social Care (DHSC) creates “systemic risk” for the department. An ICO report found that the use of private email and messaging services left personally identifiable information (PII) on private servers without appropriate protection. The ICO said that this was because of a “lack of clear controls and a rapid increase in the use of messaging apps and technologies” within the department, and called for a wider investigation into the use of private messaging services in government.

Read more: UK government breached by Pegasus spyware

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU