“Nobody was texting war plans,” U.S. Defense Secretary Pete Hegseth assured just hours after the nightmare of a journalist joining a group chat with Trump officials was suddenly revealed. The White House confirmed the breach, as news outlets digested the post-bombing emoji selection of those keeping Americans safe and secure.
“U.S. national-security leaders included me in a group chat about upcoming military strikes in Yemen. I didn’t think it could be real. Then the bombs started falling.” The Atlantic’s Jeffrey Goldberg reported that “the secretary of defense had texted me the war plan at 11:44 a.m. The plan included precise information about weapons packages, targets, and timing. This is going to require some explaining.”
There is plenty to unpick in this story from a security perspective. But the choice of messaging app should not be a surprise. America’s cyber defense agency warns “highly targeted individuals,” such as those in this group chat, to always use end-to-end encrypted messaging, “such as Signal or similar apps,” which they did.
But end-to-end encryption is only secure as each of the ends. If you add the wrong person into a group, all that security fails. Group chats are inherently more risky — especially when it’s more than just a handful of people. And it’s not always by accident. Russia’s GRU recently exploited group invite links to secretly join Signal chats.
But the biggest takeaway is not the mistake to add the wrong person into a chat — that happens, albeit with less fanfare. What this highlights is the hidden threat to the security of almost every organization, public and private, large and small. Phone users revert to secure messaging for its simplicity, usability and immediacy. Because such platforms seem more private and secure than corporate alternatives. And because enterprise platforms such as email and Teams seem clunky in comparison.
Copying and pasting text, attaching media and files, scanning documents, it’s all there. These shadow networks outside the gaze of corporate IT overlords have become a honeypot for sensitive data and proprietary information. There are no corporate backups or archives, no oversight or monitoring. These are safe spaces.
And governments and politicians use these platforms for all those same reasons. WhatsApp groups for most and Signal groups for more security savvy players. We have seen a steady stream of leaks from such groups for years, it’s nothing new.
The problem of these shadow networks isn’t going away, notwithstanding the inevitable assurances that will now come. We will bounce back to here soon enough. So, a couple of pointers to staying safer. Avoid group links for sensitive topics. Limit adding members to admins only. And if it’s really sensitive, apply disappearing messages, albeit if the wrong people see the messages before they go, you’ll still make headlines.
To end on a neat twist — while texting journalists is a surefire way to breach security, the Signal chat itself was protected from outside interference by its encryption. And that security has never been more under threat from the lawmakers who rely on it than now. An irony that should not get lost in amongst the headlines over the coming days.
