BACKGROUND:
As reported in the Guardian (and elsewhere), Matt Hancock “used a personal email account to conduct vital Department of Health business.
Senior health officials had previously warned about Hancock’s conduct, saying that he “only” deals with his private office “via Gmail account The health secretary was given an official email account, but it was reported that he preferred to use his personal one. The practice, in contravention of official guidelines, means officials may not have a complete record of government dealings prior to and during the pandemic.”
<p>We should be clear that the practice is not in \"contravention of official guidelines\". It would be instant dismissal in any commercial organisation and a code of conduct report in local Government. It is not a matter of preference. From a security point of view, Matt Handcock could have exposed the Government to cyber-attacks.</p>
<p> </p>
<p>Personal accounts are less secured and are not monitored by the Government’s cyber security. Personal emails are cracked easier than the encrypted accounts issued to Ministers. If a cybercriminal can access a personal email, which is easier than you may think if the password is a combination of English words, they can control the email account. Once they have the control, the cybercriminal can use this as an email address to be a \’trusted\’ contact to communicate with other accounts. In doing this, the attacker establishes a trust that leads to the individual passing on something of value. They can also set up email rules to ensure that the compromised user cannot see that they are sending or receiving fraudulent messages. Almost every cyberattack includes some element of a compromised internal credential like this\".</p>