In March 2025, a major data breach shook Washington DC when a journalist was accidentally added to a secure Signal app messaging group. Signal, a platform celebrated for its encryption, was intended to facilitate private communications among high-ranking government officials. The group included Vice President JD Vance, Defence Secretary Pete Hegseth, and National Security Adviser Mike Waltz, and the members were discussing military operations against the Iran-backed Houthi group in Yemen. Unfortunately, this breach exposed sensitive, classified information about military airstrikes—targets, timings, and strategies—just hours before the attacks took place.
This breach serves as a stark reminder of how quickly mistakes can happen when messaging platforms are used for work, particularly when sensitive data is involved. Although Signal is considered secure due to its encryption, this incident shows that even the most secure platforms can be vulnerable when used improperly. A simple error can lead to major risks.
What Went Wrong with Signal App?
A Simple Mistake, A Serious Data Breach
The breach occurred when journalist Jeffrey Goldberg, from The Atlantic, was mistakenly added to the Signal chat. Initially, he thought the group might have been a prank, but soon realised it was a real, ongoing conversation involving top government officials. The chat revealed sensitive military details, discussed in an informal, casual manner. The officials used emojis and laid-back language to express support, concerns, and thoughts on military operations.
At first glance, this might seem like a small mistake—just adding the wrong person to a group chat. But the consequences were enormous. Confidential military plans were shared in an unsecured environment, without clear communication protocols, raising concerns about how secure communication really is when handling sensitive information at such high levels.
The Dangers of Informal Communication
One of the key issues in the Signal App breach was the informal tone of the communication. After the military strikes were carried out, emojis—such as fist pumps, flags, and fire—were shared among the group, along with short, informal comments. This casual communication, in a professional setting, can be dangerous. It makes it easy for critical details to be lost or misinterpreted. Such informalities undermine the seriousness of the situation and can inadvertently reduce the security around the information being discussed.
While emojis might be fine for texting friends, they have no place in work-related discussions involving sensitive or classified information. This incident highlights the importance of maintaining professionalism in all forms of communication, especially when the stakes are high.
Key Lessons from Signal App Breach: How to Prevent Messaging Breaches?
This breach offers valuable lessons for organisations looking to prevent similar mistakes:
Limit Access to Sensitive Information: Only allow authorised individuals into work-related messaging groups. One of the biggest mistakes in this case was adding a journalist to a private chat meant for high-ranking government officials. For organisations, this means carefully controlling who has access to sensitive discussions. Implement strict access controls and periodically review who should be included in private communication channels.
Use the Right Platforms for Sensitive Information: While Signal is known for its security, no platform is infallible. Organisations should evaluate whether their communication tools are appropriate for sensitive information. Even with encryption, it’s wise to use additional layers of protection, such as secure file-sharing platforms or specialised messaging systems designed for confidentiality.
Avoid Casual Communication for Sensitive Topics: Sensitive information should never be shared in an informal or casual way. In the Signal breach, the use of emojis and informal comments muddied the seriousness of the situation. Work-related discussions should be professional, clear, and free of casual language. Misunderstandings or lack of attention to detail can result in major security breaches.
Train Employees on Messaging Security: It’s crucial to ensure employees understand the risks associated with using messaging platforms. Organisations should provide regular training on secure communication practices and make employees aware of what information can and cannot be shared over these platforms.
Monitor and Review Communications: Regular audits of communications within the organisation can help ensure platforms are being used correctly. This helps identify potential vulnerabilities and ensures policies are aligned with current best practices.
Be Prepared for a Breach: If a data breach occurs, organisations must respond quickly. A well-established response plan is essential for identifying the source of the breach, notifying affected parties, and taking corrective action to prevent future breaches.
TenIntelligence Thoughts
The Signal breach is a powerful reminder that even encrypted messaging platforms can be compromised by carelessness. In the digital age, it’s easy to forget that one small mistake, like adding the wrong person to a group chat, can have disastrous consequences.
The takeaway for businesses is clear:
- implement strong security measures,
- educate employees on best practices
- ensure all communications—whether via messaging apps or other platforms—are conducted professionally.
By taking these steps, you can protect your organisation from the kinds of breaches that can cause long-lasting damage to their reputation and operations. Are your communication practices secure enough to withstand the next potential breach? Reach out to us for a Data Protection Assessment
Written by
Lynsey Hanson | Global Data Protection Officer