Ministers and civil servants conducting “government by WhatsApp” have been at risk of being targeted by hackers, leading to new advice from security chiefs about how to improve their privacy.
The cabinet secretary, Simon Case, revealed that the Government Security Group had issued fresh guidance across government in a letter to Labour, which had raised questions about ministers using their personal phones to conduct official business.
The shadow chancellor of the Duchy of Lancaster, Angela Rayner, wrote to Case criticising ministers’ use of WhatsApp and private email, which has emerged in relation to Covid contracts being discussed on personal digital devices.
The civil service chief said in his reply that the government took security seriously and highlighted the work done to improve it. It is understood the advice was issued in May after high-profile stories about hackers exploiting WhatsApp.
“The NCSC [National Cyber Security Centre] and the Government Security Group in the Cabinet Office may also issue guidance in response to specific threats,” he said. “For example, the Government Security Group recently provided advice on how to secure devices using two-factor authentication in response to hackers using fake messages to access WhatsApp.”
His comments suggest such authentication was not always used routinely.
Hackers are known to have targeted government officials across the globe through WhatsApp. Ministers in Australia, the Netherlands and South Africa have suffered successful attacks on their digital devices.
The Guardian’s investigation into a leak about Pegasus software revealed last month that clients of the Israeli-based cyber intelligence firm NSO could in effect take control of a phone, enabling them to extract messages, calls, photos and emails, secretly activate cameras or microphones, and read the contents of encrypted messaging apps such as WhatsApp, Telegram and Signal.
The shadow security minister, Conor McGinn, said “conducting official government business via WhatsApp risks exposing potentially critical information to hackers and cybercriminals who seek to harm our country”.
He also highlighted Boris Johnson’s poor cybersecurity, after it was revealed last year that the prime minister was still using his personal mobile number that was widely available.
Rayner said: “Private WhatsApp messages avoid transparency and scrutiny, and could easily be used to facilitate the waste of taxpayers’ money on contracts for mates of Conservative ministers.
“We need a fully independent inquiry into the government contracts that have been handed out over private email and WhatsApp so we can get to the bottom of this scandal.
“We need all decisions and communications made during the pandemic to be made available to the public inquiry, including those held in private ministerial WhatsApp messages.”
A Cabinet Office spokesperson said the government had sent the guidance to all departmental employees in May.
Rowena Mason Deputy political editor