Intruders socially engineered their way in, accessing public chat rooms but not breaking encryption.
An intruder has breached the French government’s encrypted messaging service, Tchap, showing once again that human error is a weak spot in any security system.
Tchap was developed in France as an example of national sovereignty and was designed to be a more secure option than WhatsApp for communication between government employees.
In this case, it wasn’t the technology that was at fault, but a user: The intruder gained access to the system by taking over their account, according to DINUM, the French government’s interministerial digital directorate.
DINUM said it has blocked the affected user’s access and is investigating how much information has been revealed. While the system’s encryption was not broken, the intruder would have been able to view unencrypted public chat rooms accessible to the account taken over, potentially affecting 73,467 of the system’s 825,000 users, DINUM said.
That matches at least part of a post on X (formerly Twitter) reporting the intruder’s claim to have accessed the account of a Tchap user in the education sector through social engineering, exposing 73,467 user accounts, 643,459 messages, 876 chat rooms with message history, and 59,386 media files totalling 13.51 GB, including references to documents marked “Diffusion Restreinte” (restricted distribution).
DINUM said that it had reminded all Tchap users that public chat rooms are accessible to any user and are not encrypted, so all participants should refrain from any sensitive or confidential information.
This article first appeared on CSO.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.