The UK Government has been ‘pwned’: The consequence of data breaches for democratic politics

In December last year, the UK National Crime Agency (NCA) donated 225 million unique passwords to the cyber-security project ‘Have I Been Pwned’ (HIBP) – which left us wondering, to what extent might UK politicians have been breached?

The Sunday Mail recently reported that former Prime Minister Liz Truss’ mobile number was being sold online for £6.49. This showcases the level of personal data which is available to purchase for some of the UK’s most senior politicians; it’s time this was acknowledged.

What does it mean to be ‘pwned’?

Cyber attacks are increasingly common and most companies, organisations and individuals are at risk. ‘Pwning’ is the process by which users’ personal data such as emails, messages, comments and posts, almost the entirety of their digital footprint, can be appropriated. Being ‘pwned’ essentially means to be owned. In the term pwned, ‘o’ is replaced by ‘p’ due to the proximity of the two letters in a keyboard.

The process is straightforward. A malefactor just needs your email address and password in order to have access to one, several, or perhaps all of your online accounts. One study revealed that people have an average of 18 online accounts and 41% reuse the same password for all. The likelihood of your ‘go to’ login combinations being available to cyber criminals on the dark web is substantial, especially if you are using the same combination for most of your accounts. You can check if you have been ‘pwned’ here.

What does this mean for politicians?

Some contact information for public officials is already readily available due to their prominence and due to the increasing prevalence of data aggregation websites. MPs usually encourage their constituents to contact them regarding an array of issues. It is common that this same email is offered to the wider public by the parliamentary website. It is also the email address that MPs use to communicate with each other.

If you live in Richmond (Yorkshire) and wish to write to your local MP (and Prime Minister), Rishi Sunak, on his website it states that you ‘MUST include your full name and address details plus contact information’. Sensibly, someone in his office will need to identify who the sender is to ensure that he or she lives in Sunak’s constituency. What the site does not mention is that his email address has been pwned, which means that unknown actors have potentially had access to the messages that his constituents, and even you, have sent to this email address.

Our research concluded that every Cabinet minister in Boris Johnson’s government had been pwned. All of Labour’s Shadow Cabinet ministers, with the exception of Preet Gill, have recorded breaches on their parliamentary email accounts as well.

Some examples

In 2019, a spam operation known as “Intelimost” sent millions of emails that appeared to originate from people the recipients knew. Researcher Bob Diachenko identified over three million unique email addresses with their adjacent passwords in an exposed database. This database contained the login details of former Prime Minister Boris Johnson. His spouse, Carrie, also had her email addresses breached on multiple occasions.

In a similar episode in 2017, a spambot was found by cybersecurity researcher Benkow moʞuƎq to have retrieved 711 million unique email addresses, many of which were accompanied by corresponding passwords. Shadow ministers, Labour leader Sir Keir Starmer and his deputy Angela Rayner were amongst the victims, which poses the question: how vulnerable is our data when we contact an MP? 

What are the dangers of this?

In our digital era, cybersecurity vulnerabilities can translate into serious threats ranging from online fraud to the spread of disinformation and espionage. It is unlikely that MPs’ communications with constituents are always safe and confidential, and the problem becomes even more concerning when it is approached from a national security perspective.

The leaking of Hillary Clinton’s emails during the 2016 US presidential race comes to mind. It is often cited as a turning point in that election, and some experts have pointed to foreign interference as playing a role in this data breach. In the UK (now-Security Minister) Tom Tugendhat, told the BBC last year, that his colleagues at GCHQ thought he was “better off sticking to Gmail, rather than using the parliamentary system, because it was more secure” – a concerning picture of just how exposed British officials are.

Failing to properly protect the confidentiality of communications detrimentally impacts democracy and security in uncertain times. The susceptibility of parliamentary emails can be leveraged by foreign actors to sow discord deep into the national political tissue or to collect confidential information. The bottom line is that the UK has a parliament of ‘pwned’ politicians.