UK Justice Secretary Jack Straw had his web-based email account compromised last Thursday. Jack Straw, former Home Secretary, used a Hotmail account as his sole public email address.
Figure 1. Jack Straw’s contact information from http://www.jackstrawmp.org.uk/contactus.asp
In a variation of a theme currently being used on social networking sites, 419 scammers used the compromised account to send hundreds of email messages to Jack Straw’s constituents and others in his address book and inbox. The bogus message, purporting to be from Mr. Straw, claimed that he had lost his wallet while in Nigeria promoting a charity called “Empowering Youth to Fight Racism” and asked the recipient if the could help him out by sending $3,000 to fly home.
“It was an issue for constituents, not the government. We are checking all that and I am assured there’s no evidence that confidentiality of constituents was affected,” the MP told the Telegraph newspaper in the UK.
Aside from the fact that constituent confidentiality was clearly breached, in that their email addresses were all available to, and used by, the hacker and clearly any emails in the Hotmail inbox or filed away in online folders would have been visible, it surprises me that he was using Hotmail in the first place. The service is routinely abused by e-criminals for this kind of email scam. Of course, as a past Home Secretary who set up the High Tech Crime Unit, he would have been expected to know better. But the real issue here is: why isn’t the UK Government adopting the same strict guidance given by the US Government–don’t use anything other than anything other than a government email address for parliamentary business?
These accounts are neither under the control, security protocols or jurisdiction of any government IT program, will not be backed up or indexed by government and almost certainly will not be subject to any Freedom of Information request made against the government data. In addition, shouldn’t privileged communication between Member of Parliament and constituents be routinely encrypted, especially given that Identity-Based Encryption services now offer the opportunity to send encrypted email to anyone with no need for any kind of pre-enrolment or key management?