In a surprising faux-pas for a spy network, MI5 has launched an insecure email system for terror alert updates. Concerned citizens can sign up to the service to be kept informed on the terror alert level in the UK. But when the service was launched, privacy activists SpyBlog discovered a variety of security issues, and dubbed the system a "shambles".
The entire system had been outsourced, some of it to US-based email-list administrator Mailtrack. However, users' personal details were being sent to the US unencrypted, and then stored there - potentially a breach of the Data Protection Act.
"Outsourcing is increasingly popular, but businesses should ensure their data is being held in their country," said Dan Druker, vice-president of worldwide marketing at Postini. "Territorial legal inconsistencies can cause trouble if they are not considered carefully. It is also vital that customer information is encrypted both at rest and in flight."
The service has now been changed so it no longer uses the US services. Instead, it submits data via SSL links to web servers based in the UK.