UK Intelligence Agency Sends Passwords in Plain Text
Dan Farrell alerted the GCHQ to the issue in January, but recently found that it hadn't been corrected two months later.
Blogger Dan Farrall, a third-year digital and computer forensics student at Teesside University, recently noted that the UK's GCHQ (Government Communications Headquarters) intelligence agency responded to his "forgotten password" request as a job applicant with an e-mail containing his password in plain text.
Farrell sent the GCHQ an e-mail on January 28, 2013 alerting them to the issue, but heard nothing back -- and when he tried the same thing again on March 23, 2013, the issue still hadn't been fixed.
In a statement to The Inquirer, a GCHQ spokesman said, "The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it. We are working with our supplier to achieve this."
"For those that don’t think this matters, bear in mind the type of information you’re submitting to these online applications," Farrell writes. "Names, dates, family members information, passport numbers, housing information. With this type of information identity theft is a major concern."
Varonis technical director Rob Sobers told SC Magazine, "This case in particular highlights the need to do a thorough check of your third party providers and their business practices, especially in the area of security."