LONDON: Large amounts of online data can be exploited by hackers in “parlor tricks” to access sensitive UK government information, experts have warned.
British officials’ phones can be hacked in 20 minutes using publicly accessible phone numbers, social media profiles and the personal details of thousands of civil servants, experts told The Times.
They added that ministers in Britain are more vulnerable than ever to “human hacking,” which involves using social engineering to deceive victims into giving access to phone data, including messages.
A database including the names, job titles and email addresses of 45,000 British civil servants was available on the UK Government Communication Service (GCS) website, according to The Times, but was taken down in March 2020 due to a website upgrade.
The GCS, however, said that the database will soon return.
In 3,000 database entries, phone numbers were included, while in many others, Twitter and LinkedIn profiles were listed.
“Social engineering really thrives on information: The more information you can give it, the more powerful it is,” warned Richard De Vere, a social engineering expert who exposed vulnerabilities at communications firm TalkTalk before the company was hacked in 2015.
De Vere said that the data available on the GCS website made the UK government “prime for social engineering attacks.”
Social engineering, a term used interchangeably with human hacking, uses manipulation to exploit human error and lure victims into exposing data or giving access to restricted systems.
Phone numbers that were available online included those for heads of department in the Cabinet Office, which has a cross-government role, including for finance and events, as well as numbers for directors at the British Council.
Other data belonged to high-profile members of the Ministry of Defence and the National Nuclear Laboratory.
De Vere had voiced his concerns to the National Cyber Security Centre in 2019 but was told the GCS was “supposed to have a public directory” and that staff had consented to their information being published.
Reports that former UK PM Liz Truss’ phone was hacked by Russian agents emerged in October 2022. De Vere said that he believed Truss was a victim of social engineering while serving as foreign secretary.
A government spokesman said that cybersecurity is taken “extremely seriously.”
A statement said: “Ministers receive regular security briefings and advice from the National Cyber Security Centre, including on protecting their personal data and mitigating cyber threats.”
In breach of ministerial rules, Home Secretary Suella Braverman was initially ousted from her position in October after sending a government document to a Conservative MP using her personal email.