UPDATE 13.02.23: it’s been drawn to my attention that Mr McDonald says that his private account is “not used for constituency or parliamentary business” END UPDATE
It was reported last week that the email account of Stewart McDonald, an SNP MP, had been compromised in what he described as a “sophisticated and targeted spear phishing hack”. The BBC appeared to agree with him, describing it as a “highly targeted and sophisticated attack”.
Maybe it was, although surely MPs are told to be wary of unexpected email attachments, and not to put enter system passwords when asked to in palpably suspicious circumstances (McDonald had attempted to open a document apparently sent by a member of his staff, with a military update on Ukraine, and clicking on it brought up a login page for the email account he was using).
But what I haven’t seen raised much in the media is the fact that the account which was compromised appears to have been McDonald’s private email account, and that the offending attachment was sent (or was spoofed to make it look like it was sent) from his staffer’s private email account. The reporting has referred to “personal” email account, from which it is reasonable to infer that these are not official accounts (such as McDonald’s one given on his parliamentary page).
Only last year the Information Commissioner presented a report to Parliament on the use of private communications channels in government. Although the report was prompted by concerns about the use of such private channels within the Department for Health and Social Care, it made clear that it had general application in relation to the “adopting [of] new ways of working without sufficient consideration of the risks and issues they may present for information management”. The report stresses throughout the importance of “maintaining the security of personal and official information” and the risks that private channels present to such security.
Did Mr McDonald and his staff read it? If not, this tweet he made only a couple of years ago is ironic, to say the least.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.