This hidden problem is getting worse.
“Nobody was texting war plans,” U.S. Defense Secretary Pete Hegseth insisted just hours after a journalist revealed he was invited into a group chat with Trump officials discussing military strikes on Houthi rebels in Yemen. The White House confirmed the breach as the world contemplated the post-bombing emoji selection of those keeping Americans safe and secure. But the implications are more far-reaching, exposing a hidden security threat for all businesses.
“U.S. national-security leaders included me in a group chat about upcoming military strikes in Yemen. I didn’t think it could be real. Then the bombs started falling.” The Atlantic Editor-in-Chief Jeffrey Goldberg reported that “the secretary of defense had texted me the war plan at 11:44 a.m. The plan included precise information about weapons packages, targets, and timing. This is going to require some explaining.”
There is plenty to unpack in this story from a security perspective. But the choice of messaging app should not be a surprise. America’s cyber defense agency warns “highly targeted individuals,” such as those in this group chat, to always use end-to-end encrypted messaging, “such as Signal or similar apps,” which they did.
But end-to-end encryption is only as secure as each of the ends. If you add the wrong person into a group, all that security fails. Group chats are inherently more risky — especially when it’s more than just a handful of people. And it’s not always by accident. Russia’s GRU recently exploited group invite links to secretly join Signal chats.
But the biggest takeaway is not the mistake to add the wrong person into a chat — that happens, albeit with less fanfare. What this highlights is the hidden threat to the security of almost every organization, public and private, large and small. Phone users revert to secure messaging for its simplicity, usability and immediacy because such platforms seem more private and secure than corporate alternatives. And because enterprise platforms such as email and Teams seem clunky in comparison.
Copying and pasting text, attaching media and files, scanning documents — it’s all there. These shadow networks outside the gaze of corporate IT overlords have become a honeypot for sensitive data and proprietary information. There are no corporate backups or archives, no oversight or monitoring. These are safe spaces.
And governments and politicians use these platforms for all those same reasons — WhatsApp groups for most and Signal groups for more security savvy players. We have seen a steady stream of leaks from such groups for years. It’s nothing new.
The problem of these shadow networks isn’t going away, notwithstanding the inevitable assurances that will now come. People will let down their guards soon enough. So, a couple of pointers to staying safer. Avoid group links for sensitive topics — like health information, private customer data or war plans. Limit adding members to admins only. And if it’s really sensitive, apply disappearing messages, albeit if the wrong people see the messages before they go, you’ll still make headlines.
To end on a neat twist — while texting journalists is a surefire way to breach security, the Signal chat itself was protected from outside interference by its encryption. And that security has never been more under threat from the lawmakers who rely on it than now. The British government has infamously pushed Apple to restrict encryption in the U.K., the French government continues to push for something similar and the FBI has confirmed it also wants lawful access to citizens’ data. The irony should not get lost among the headlines over the coming days.