An intern hired by GCHQ stole top secret data and took it home in a national security breach.
Hasaan Arshad, 25, was free to take his work mobile phone into a top secret area of GCHQ and connect it to a workstation inside the intelligence agency.
What?
Decades back I knew the little specialist computing company that made and installed the boxes for GXHQ. No ports – so that no one could download data. Do disk drives (that many decades back). No connections to the outside world at all from the computing system. An entirely and wholly closed world.
And he took a phone in and linked it?
It’s not just this individual who should be given a blank wall, a blindfold and a last cigarette.
The security breach is potentially embarrassing for GCHQ, based in Cheltenham. The intelligence agency runs a summer internship lasting 10 weeks that is only open to university students from ethnic minority backgrounds.
It is unclear whether Arshad was admitted as an intern through the diversity scheme.
Yes, they do require the languages, in proper argot, which means native speakers and also detailed knowledge of the place itself available only to those who grow up there. But still…..
I dismissed this story for exactly the same reasons as you Tim.
I’ve been to the occasional secure site, both commercial and government and could not take anything in.
My firm even manufactured secure equipment and as you said no access to anything and if it had a disk it was encrypted, so the data was useless.
My guess is, that this was a trap.
Or GCHQ are rapidly becoming DEI-ified 🙁
I’m reasonay sure USB ports were disabled on Restricted DII machines when I was in. How they’re not in Cheltenham is beyond me…
Complete baloney
He was an intern
He would not have had access, would not have had clearances and certainly would not have been employed on anything highly classified
I doubt that he has a ‘work phone’
Phones cannot connect to restricted systems let alone higher classifications, USB connections are disabled or simply not installed
Whatever happened its not what was reported, and he was prosecuted under the computer misuse act….
The first day of April…
It’s been widely reported so not an April Fool.
I presume one can take photos of sensitive materials with a camera phone and then download them as PDFs etc so there doesn’t need to be leaky GCHQ wifi.
As Tim says, shoot the useless monkeys who came up with this internship programme first, then worry about this one.
@Marius
No phones in secure areas, or other devices like fitbits, apple watches etc
None, zilch, nada
No photos
It all smells very fishy
Doesn’t GCHQ have ISO 27001 certification?
From my own experience in similar places, slightly further North, where I had low-level credentials and clearance to be – Don’t Believe A Word Of It. Triply-Not any discussion whatever that involves a smartphone, which (in the places I was) were simply, absolutely, 100%-verboten, and everybody knew it, and everybody was scanned for such things before admission, from the general on down. None of the ‘workstations’ had any sort of external connectability of any sort, never mind something like USB or Bluetooth, which is what the story of a phone suggests.
This sounds like a cover story, which might seem plausible to readers of the Daily Mail, to paper over some entirely-different breach.
llater,
llamas
I thought “Slough House” was fiction.
Seems it is for real, only the reality is even dumberer.
Or of course, the whole story is a fake. Why? What’s the story they are hiding with this squirrel?
The court was told that Arshad had previously admitted two charges of making an indecent photograph of a child in relation to a number of images found between Sept 7 and 23 2022.
How is he not a judge?
I think llamas might be onto something.
The story as described has so many “really ! that’s not how these places work” elements to it that it cannot be true. As pointed out, he would not have been given access to the sort of stuff it’s said he was able to copy, and even if he was, it would have been on secure systems that he could not have connected his phone to, and his supervisor would not have allowed a phone into such an environment anyway, and so it goes on.
But as a cover story, one has to wonder what could be more embarrassing than admitting that you allowed all these multiple levels of security breach to happen without anyone noticing.
It doesn’t say where which area he worked. When you have access to secure data you can abuse that access. If you have access to the back end you can access things like backups, even make your own backups on to certain media. Process keeps the secure data away from people that should not have access to it. If you have access to it you have the capability of ignoring process and copying it, via photos, data transfer or even just remembering it and typing it out when you get home. You don’t need Tb of data to store names of informants for example.
People sneak phones and recording devices into secure establishments all the time by accident. When you have cameras and recording devices about the same size as Starmers integrity you can only detect them by strip searches and even then I bet the professionals can get them into all but the most secure areas.
I can also imagine with a name like that people are also giving these hires a bit of leniency when it comes to oversight, no searches etc.
In saying all that I doubt he had access to any interesting classified data, our government over classifies things so much that there are many classified systems using older technologies such as Win 3.1 with the relevant ports that could be accessed because it contains things like power station, water works locations and etc. are classified. All the real data is stored behind codewords. You can also have a document with the lowest classification data in it only but though amalgamation it get its classification raised to the next level. So something with nothing really classified in it can be TS. Also, and this is happening in Canada now. Pierre Poilievre is talking about government issues that are available publicly perfectly legally but the gov has classified them internally. They can’t tell you what it is as obscurity is part of the process. As Poilievre hasn’t signed the Canadian equivalent of the Official Secrets Act he can’t be prosecuted for treason so they are trying to get him to sign up to it so they can shut him up. Think about that publicly available data to everyone is classified.
So, I can believe he accessed genetic classified data. I don’t believe it was anything important and more importantly he was caught so the process worked. Throw him in jail and lets move on.
I also was reminded of the ‘Slow Horses’ scenario. But this is different. ‘Slow Horses’ were spooks who just weren’t very good at parts of their work. The reported scenario includes multiple, deliberate breaches of well-known and -understood rules and protocols. That’s why I don’t believe it. Leaving files in a taxi – that happens – has happened. Leaving a comms network open and unsecured, inside a highly-secure facility, and then letting someone in – anyone – with a device that could connect to the network unobserved? Sorry, didn’t happen. And – even allowing for the possibility that it did – any such perpetrator would certainly not be brought up in the civilian courts to babble about it. There’s a reason we joked that NSA stands for ‘Never Seen Again’.
llater,
llamas
@LordT – maybe what you suggest is true, in some places. But certainly not inside ‘a top secret area inside GCHQ’, which is what the article claims. Those places simply do not allow anybody – anybody – to do the sorts of things which it is alleged this guy did. I’ve been inside similar places in the UK – not GCHQ – and there simply is no possibility that he did what is claimed. As for people smuggling in prohibited devices – rest assured, no strip search is required, the scanners see all and God help you if you are caught concealing anything like that. The only possibility is that the guy has some sort of eidetic memory and memorized things he saw – but that’s not what is claimed. Where I was, terminal screens were covered at all times and only exposed to persons authorised to view them – not including me, I should add. You can’t install media devices, like thumb drives or floppy discs, because the terminals simply don’t have the capability, yet this guy supposedly synced his phone into the network?
No. Didn’t happen as described. Something else may have happened, but not this.
llater,
llamas