What businesses can learn from the US national security Signal breach

Signal: An open-source, encrypted service for instant messaging, voice calls, and video calls.

What happened?

In an article titled: “The Trump Administration Accidentally Texted Me Its War Plans”, journalist Jeffrey Goldberg revealed that he knew about the United States’ bombing of Houthi targets across Yemen before they actually occurred.

Hillary Clinton reacted the way most of us did. “You have got to be kidding me,” she exclaimed on X (formerly known as Twitter).

What followed was a slew of denials from the Trump administration that any classified information was shared, alongside horrified reactions from US officials (and the world).

Jeffrey Goldberg’s response to the the administration’s denials was to publish another article, titled: “Here Are the Attack Plans That Trump’s Advisers Shared on Signal”, proving to anyone that could read, that classified information was indeed leaked to him, including precise timings of US military operations.

How did it happen?

Earlier in March, the US National Security Adviser started a group chat on Signal that included the US Vice President, Secretary of Defence, Secretary of State, Director of National Intelligence, and CIA director, amongst other senior officials.

The purpose of the group was to discuss strikes on Houthi militants in Yemen. Unfortunately, he added Atlantic editor in chief Jeffrey Goldberg to the chain, presumably by accident.

To say the Trump administration has an unconventional way of running things is an understatement. Conversations that under normal circumstances should have occurred over approved secure government channels, were discussed using an app that Pentagon regulations specifically state cannot be used “to access, transmit, (and) process non-public DoD information”.

What businesses can learn from this

To avoid your own Signal fiasco, here are the rules of engagement you should follow:

1. Mentally classify the information you are about to send. If it could be deemed as sensitive or you are nervous about sending it, question whether you should be putting any of it in writing.
2. If you are unsure at this point, a phone call or meeting is going to be less risky.
3. If you have decided to commit your potentially sensitive information in writing, use the right communication channel. There is typically a communication channel that your cybersecurity or technology team has approved for use. e.g. Slack, Teams. If you don’t know what that is, ask your cyber team.
4. If you need to attach documents containing sensitive information, use your work-approved file share solution (e.g. Microsoft OneDrive, Google Drive), and ensure access to the documents in question are limited to specific individuals or groups. This reduces the risk of unintended recipients being able to access the information contained in those documents, even if you accidentally add them to the list of recipients.
5. Double check the recipients of the message you are about to send.
6. Check the list of recipients again.

Final thought

As a general rule, never send sensitive information over social media messaging apps (e.g. WhatsApp, Signal). It’s much easier to make the mistake of including unintended recipients (i.e. everyone on your huge contact list), compared to the approved channel where the list of possible recipients will usually be limited to your colleagues.

Ian Yip is the founder and CEO of Avertro, a venture-backed cybersecurity software company.