Ian Lavery MP claimed he had been “hacked” after a tweet about his position on Brexit position was posted in reply to a journalist.
The position on Brexit isn’t what this article is about, it’s about the claim a hacker was responsible.
Earlier today, Ian Lavery appeared to publish and then delete the below tweet but soon claimed that it was sent after “Someone else logged in to my account, not me or any of my staff”, the tweet below has been pulled from ‘Politwoops‘, a service that archives all deleted tweets from politicians.
As you can see, Twitter shows the app or platform used to publish Tweets be it the default app for iPhone, the Chrome browser or services such as Hootsuite etc.
The tweet deleted by Lavery was published on the Twitter for iPhone app, which is common for his account.
However, the e-mail cited by Lavery later in the day (shown below) as proof that his claim had been “confirmed by Twitter” states that a login happened on the Chrome browser, rather than the Twitter for iPhone app the tweet was published on.
What does this mean? Well, the login warning is about a login on the Chrome browser that occured later in the day and is therefore entirely unrelated to the tweet sent earlier in the day from the iPhone Twitter app.
For clarity, the vast majority of tweets sent from @IanLaveryMP are posted via Twitter for iPhone.
Worth nothing too is that this e-mail is normally sent as soon as a new login is detected, not two hours later.
Simply put, the ‘proof’ offered proves absolutely nothing other than someone logged in a few hours after the original tweet on a different app, in this case a web browser.
Poor information security isn’t unusual for some MP’s anyway, last year we reported that Conservative Member of Parliament Nadine Dorries sparked widespread concern after claiming it was common practice for MPs to share computer log-in details with staff and interns.
This was an incredibly irresponsible example of poor cyber security, information security awareness and overall lack of accountability this generates.
One of the most basic security mistakes out there is sharing account credentials. It should also be noted, this is one of the MPs who is trying to ban or limit encryption.
Parliamentary ICT (PICT) Security Policy specifically states on the matter:
Additional sections repeatedly make clear that passwords must not be shared.
The Information Commissioner’s Office said at the time:
“We’re aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. In the meantime, we would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.”
Whether Lavery was actually hacked seems very unlikely, but poor information security is a serious problem.