UK Spy Chief's Embarrassing Photos Teach Social Media Security Lesson

The wife of Sir John Sawers, the new head of British spy agency MI6, caused a stir when she posted personal family information to Facebook, including an unflattering photo of the middle-aged bureaucrat wearing nothing but Speedos swim trunks while on vacation at the beach. It's a silly, tabloid story-but it also teaches a serious lesson about social media security.Sawers is due to take over as head of the Secret Intelligence Service in November, putting him in charge of Britain's spying operations abroad. Lady Shelley Sawers posted family photos and information to Facebook, which could have compromised the safety of the family and their friends, according to the Daily Mail. The Facebook information, available to any of the 200,000 people in the service's London network, includes the location of the London apartment the couple use, and the whereabouts of their three children and Sir John's parents.

Also included: A plethora of photos of the family looking ultra-dorky.

Sawers's political opponents are calling for an investigation into what they describe as a security breach that questions whether Sawers has the judgment to serve.

Foreign Secretary David Milbrand defended Sawers. "It is not a state secret that he wears Speedo swimming trunks," he said.

But maybe it should be. This was not a flattering photo.

It's a funny story. But it also teaches a serious lesson about the security problems that come up when people in high-responsibility positions use social media.

When we think about insider security problems, we worry about disaffected employees deliberately stealing or doing damage. Or we worry about dumb employees making mistakes that can be exploited by enemies. But the Sawers incident shows how even otherwise smart people can make innocent mistakes that compromise security.

The Sawers incident underscores a report made by the U.S. Defense Intelligence Agency several weeks earlier.

America's soldiers are smart enough to avoid tweeting things like, "Sooper-seekrit invasion starts tomorrow! See you at the airport at 0800!" But even something perfectly innocent, like mentioning a nearby Starbucks, can breach security, according to Nick Jensen, an operational security analyst at DIA.

Adversaries might be able to identify individuals working on strategic technology by combing LinkedIn. Online discussion groups and blogs might help foreign intelligence services find disgruntled employees who could be recruited or blackmailed.

People with access to sensitive information need to learn to be more circumspect, and take precautions such as using different user names on different services, the DIA advised.

In the case of the Sawers incident, enemy agents could identify Sawers's family members and close friends, and target them for kidnapping. Knowing where the Sawers stay when in London could allow them to bring an attack literally to the family's doorsteps.

Or the enemy agents could simply threaten to make fun of how Sawers looks in Speedos.

Black Hat is like no other security conference. It happens in Las Vegas, July 25-30. Find out more and register.

Follow InformationWeek on Twitter, Facebook, and LinkedIn:

Twitter: @InformationWeek @IWpremium @MitchWagner

Facebook: InformationWeek Mitch Wagner

LinkedIn: InformationWeek Mitch Wagner