The Month: MI5 launches insecure email system for terror alert updates

January 31, 2007

In a surprising faux-pas for a spy network, MI5 has launched an insecure email system for terror alert updates. Concerned citizens can sign up to the service to be kept informed on the terror alert level in the UK. But when the service was launched, privacy activists SpyBlog discovered a variety of security issues, and dubbed the system a "shambles".

The entire system had been outsourced, some of it to US-based email-listadministrator Mailtrack. However, users' personal details were beingsent to the US unencrypted, and then stored there - potentially a breachof the Data Protection Act.

"Outsourcing is increasingly popular, but businesses should ensure theirdata is being held in their country," said Dan Druker, vice-president ofworldwide marketing at Postini. "Territorial legal inconsistencies cancause trouble if they are not considered carefully. It is also vitalthat customer information is encrypted both at rest and in flight."

The service has now been changed so it no longer uses the US services.Instead, it submits data via SSL links to web servers based in the UK.

prestitial ad