Privacy Hamstrings Protection of White House Staff Gmail

The recent hijacking of White House employees' personal email accounts underscores the difficulty guarding national security when private lives and government roles intersect.

Malicious operators netted the personal Gmail and Twitter passwords of several employees who handle White House social media outreach. 

The Executive Office of the President is not responsible for protecting personal email accounts, since that could be seen as an invasion of privacy, individuals familiar with the matter said.

The Office of the President, which includes the White House, regularly runs security education campaigns and sends reminder emails -- which typically go ignored -- about threats hitting social media and personal email accounts, these people said.

They added that the office currently does not require two-step authentication for logging into personal email accounts. That security control would have alerted the targets with a text message or phone call when someone tried to sign in from a new computer. 

Email addresses for White House digital strategy employees are relatively easy to find since their jobs involve public access, cyber researchers said.

White House officials declined to discuss whether they are changing staff email policies to thwart hackers who are intent on breaching personal accounts to wriggle into official accounts.

"As a general matter we don’t comment on our security procedures here at the White House,” National Security Council spokeswoman Caitlin Hayden said. 

Obama administration officials deferred to the FBI on all questions about the break-in, which was first reported by Nextgov on Monday.

"All that we can acknowledge is that we're investigating. Cyber cases are unlike others in that I have no idea how much time might pass before there are developments that we could go forward with" about who was behind the operation, FBI spokeswoman Jenny Shearer said. 

Islamic hacktivists in the Middle East are suspected of orchestrating the raid, and at least one group, the Syrian Electronic Army, has taken credit for it. 

It is believed the actors were phishing for official White House social media passwords by sending at least a dozen digital strategy staffers Gmail messages that contained credential-stealing links. Some researchers also speculate the scheme, which worked on at least three employees, aimed to snoop on work-related information in personal emails. 

The Syrian hackers claimed they were unsuccessful at piercing the White House's cyber defenses using the stolen data. In recent days, the group seized Thomson Reuters' Twitter feed and accessed databases supporting messaging app Viber.

(Image via trekandshoot /Shutterstock.com)