US National Security Advisor Michael Waltz reportedly used his personal Gmail account to communicate sensitive information, once again putting the security practices of the US’s top security officials into question.
As personal Gmail accounts offer less protection than government-approved platforms and are frequently targeted by spy agencies, Waltz’s alleged practices have raised concerns over potential security breaches.
JOIN US ON TELEGRAM
Follow our coverage of the war on the @Kyivpost_official.
The Washington Post, citing unnamed officials and email correspondence obtained via undisclosed means, said Waltz has received “exploitable information,” including his work schedule and documents, via his personal account.
The Washington Post said a “senior Waltz aide” also used his personal Gmail account to communicate “sensitive military positions and powerful weapons systems relating to an ongoing conflict” with officials from other agencies who used “government-issued accounts.”
However, US National Security Council Spokesperson Brian Hughes said Waltz did not send sensitive information via his personal account, adding that Waltz made sure to include his work account when responding to messages received by his personal account from “legacy contacts.”
“Waltz didn’t and wouldn’t send classified information on an open account,” said Hughes.
The revelation followed the Signal scandal in March, when Waltz accidentally included the editor-in-chief of The Atlantic in a private group chat – which also included top officials such as Middle East Envoy Steve Witkoff and Vice President JD Vance – on then-upcoming US military strikes in Yemen via Signal, an encrypted commercial communication app.
Secret Kremlin Polls Track Russians’ Mood, Report Says
However, Hughes said that Signal “is approved and in some cases is added automatically to government devices” before acknowledging that the app is not intended for classified material.
Hughes insisted that Waltz never used Signal to disclose classified material, despite the evidence from The Atlantic that suggested otherwise.
Witkoff also communicated in the group chat when he was in Moscow for a visit, raising concerns that the communication was intercepted by Russian intelligence – while the communications via Signal are encrypted, physical attacks are theoretically possible if malignant parties have physical access to the device’s USB port at any point, which could grant them access to the device’s data.
In a recent investigation, German magazine Der Spiegel also managed to obtain some of Hegseth’s and Waltz’s personal accounts via public sources.
The Washington Post said the Signal incident has infuriated US President Donald Trump, but a senior US official told the publication that Trump decided not to fire Waltz to avoid giving the “liberal media a scalp.”
Security concerns
Commercial email hosting services are more susceptible to hacking and phishing attacks, and the fact that accounts can easily be obtained via public sources makes them an easy target for malignant parties.
Microsoft, another tech giant with commercial email hosting services, has acknowledged and reported Kremlin-sanctioned hacking attempts – some successful – to compromise corporate accounts and exfiltrate email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, told The Washington Post that commercial email services are not encrypted unless additional measures, such as the GNU Privacy Guard (GPG), are employed.
“Unless you are using GPG, email is not end-to-end encrypted, and the contents of a message can be intercepted and read at many points, including on Google’s email servers,” Galperin said.
Other experts also questioned, in a comment to The Washington Post, why the officials did not use official encrypted communication platforms such as the Joint Worldwide Intelligence Communications System (JWICS), an enclosed, classified network used by US intelligence.
You can also highlight the text and press Ctrl + Enter
