Preprint
Article

This version is not peer-reviewed.

Improper Use of an Unauthorised Communication Channel in Critical Systems: Lessons from the 2025 Signal Leak

Submitted:

10 June 2026

Posted:

11 June 2026

You are already at the latest version

Abstract
The use of unauthorised communication channels has become a growing security concern inenvironments handling sensitive and operational information. This study analyses the risksassociated with the improper use of non-approved communication platforms through a technical-operational case study based on the 2025 “Signal group chat leak” involving senior United Statesgovernment officials. The study examines how sensitive military-related information was exchangedthrough an unauthorised messaging application, resulting in unintended exposure to an externalparty. The analysis focuses on the operational context of the incident, the sequence of events and theprocedural, technical and human failures that contributed to the breach. Attention is given toweaknesses in communication security policies, lack of monitoring and auditing mechanisms,insufficient participant validation procedures and the influence of operational pressure on userbehaviour. The study also evaluates the risks associated with the incident, especially regardingconfidentiality, accountability and organisational oversight. Based on the identified failures, a set ofcorrective and preventive measures is proposed. The findings highlight the importance of combiningtechnical safeguards, operational discipline and effective policy enforcement to maintain securecommunication environments and reduce the likelihood of similar incidents. Although the case isbased on a governmental and military-related incident, the lessons identified are also applicable tocritical systems and critical infrastructure environments, where communication failures maycompromise operational continuity, institutional accountability and security.
Keywords: 
;  ;  ;  ;  ;  ;  ;  ;  

1. Introduction

The protection of sensitive and classified information has become an increasingly important challenge in modern operational environments, particularly within governmental, military and security-related institutions. The growing dependence on digital communication systems has significantly improved the speed and efficiency of information exchange. However, it has also increased exposure to security risks associated with improper communication practices. One of the most relevant risks concerns the use of unauthorised communication channels for transmitting operationally sensitive information. These risks are particularly relevant not only in governmental and military contexts, but also in critical systems and critical infrastructure sectors, where communication failures may affect essential services, operational continuity and public safety.
Recent incidents have demonstrated that even high-level organisations may experience significant security failures when established communication procedures are bypassed. The improper use of unauthorised communication platforms can compromise confidentiality, reduce traceability and expose sensitive operational information to unintended parties. This work analyses this risk through a technical-operational case study based on the 2025 “Signal group chat leak” involving senior United States government officials. The study aims to identify the procedural, technical and human failures that contributed to the incident and evaluate the associated operational risks.
The structure of this work is organised into several sections. First, the conceptual background introduces the main concepts related to classified information protection, communication security and the risks associated with unauthorised communication channels. The state of the art then reviews current standards, policies and technical controls used to prevent data leakage and strengthen communication security. Next, the work reviews the operational case study and analyses the incident from a technical-operational perspective, focusing on failures, causality and risk assessment. Finally, corrective and preventive measures, lessons learned and the main conclusions of the study are presented.

2. Materials and Methods

The use of communication systems plays a fundamental role in modern operational environments, particularly in organisations that handle sensitive or classified information. The increasing reliance on digital communication platforms has improved efficiency and speed in information exchange, but it has also introduced new security challenges. One of these challenges concerns the improper use of communication channels that have not been authorised for transmitting sensitive information. Such practices can create significant risks for organisational security, including the loss of confidentiality and potential exposure of operational data.
Understanding the risks associated with unauthorised communication channels requires examining several underlying security concepts related to the protection and transmission of sensitive information. These concepts provide the theoretical foundation necessary to analyse incidents involving improper communication practices.
This section therefore reviews the main conceptual elements relevant to the study. First, it discusses the principles and mechanisms used for the protection of classified information, highlighting how access and handling of sensitive data are controlled within secure environments. Second, it introduces the concept of Communication Security (COMSEC), focusing on the measures used to protect information during transmission. Finally, the section examines the risks associated with the use of unauthorised communication channels and how such practices may compromise organisational security and operational integrity.

2.1. Protection of Classified Information

The protection of classified information is a critical component of information security in organisations that manage sensitive or strategic data. This type of information typically includes operational plans, intelligence reports, technical specifications, cryptographic material or any information whose unauthorised disclosure could compromise national security and integrity. To protect such information, organisations establish classification systems that define different sensitivity levels and corresponding protection requirements.
Common classification levels include categories such as confidential, secret and top secret, although the exact terminology may vary depending on national or organizational frameworks [1]. Each classification level determines the conditions under which information may be accessed, transmitted, stored and destroyed. Higher classification levels require stronger protective measures, including stricter access control mechanisms and more secure communication channels. One of the central principles governing the protection of classified information is the need-to-know principle [2]. According to this principle, access to classified information is granted only to individuals who both possess the appropriate security clearance and require the information to perform their official duties. This approach reduces the number of individuals exposed to sensitive data and minimises the risk of accidental or intentional disclosure.
In addition, technical safeguards play an important role in protecting classified information. These may include encryption technologies, secure storage systems, monitoring mechanisms and network segmentation. Physical security measures, such as restricted access areas and controlled storage facilities also contribute to maintaining confidentiality. Therefore, effective protection of classified information requires a combination of organisational policies, technical controls and human awareness, ensuring that sensitive data remains protected throughout its entire lifecycle.

2.2. Communication Security

Communication Security refers to the set of measures and procedures designed to protect information transmitted through communication systems from unauthorised interception, access or manipulation [3]. In environments handling classified information, communication security is essential to ensure that sensitive data remains confidential and that communication channels cannot be exploited by adversaries.
This encompasses several components, including encryption, secure communication protocols, authentication mechanisms and strict operational procedures governing the transmission of classified information. Encryption plays a particularly important role, as it transforms information into a protected format that can only be accessed by authorised parties possessing the appropriate cryptographic keys. Modern cryptographic systems are widely used to secure digital communications, preventing unauthorised actors from understanding intercepted data [3]. Recent studies analysing secure messaging platforms have nevertheless identified persistent concerns regarding metadata exposure, institutional governance and forensic visibility [4]. The image shows the workflow of using encryption when communicating.
Figure 1. Communication Security Model. Author’s own elaboration.
Figure 1. Communication Security Model. Author’s own elaboration.
Preprints 217977 g001
Another important aspect of communication security is the use of authorised communication channels. Organisations handling classified information typically designate specific networks, systems or devices that meet the required security standards for transmitting sensitive data [5]. These channels are designed to ensure secure transmission through encryption, controlled access, monitoring and logging mechanisms. Operational procedures also play a critical role in communication security. Employees must be trained to follow strict protocols regarding how and when classified information can be transmitted, including verification of recipient identity, correct classification markings and adherence to approved transmission methods.
Ultimately, communication security combines technical safeguards and operational discipline to ensure that sensitive information is transmitted only through controlled and secure channels, reducing the risk of compromise during communication processes.

2.3. Risks of Unauthorised Communication Channels

The use of unauthorised communication channels reviews a significant security risk in environments handling classified information. Unauthorised channels may include personal email accounts, public cloud services, instant messaging applications, or privately owned devices that have not been approved for handling sensitive data [5]. These channels often lack the necessary security controls required to protect classified information, making them vulnerable to interception, data leakage and unauthorised access.
One of the primary risks associated with unauthorised communication channels is the loss of confidentiality. When classified information is transmitted through external or unprotected systems, it may be stored on servers outside the organisation’s control or intercepted during transmission [3]. In many cases, these platforms replicate or store data automatically, increasing the risk of uncontrolled distribution and making it difficult to remove the information once it has been shared [6].
Another important risk concerns the loss of traceability and accountability. Authorised communication systems typically maintain detailed logs, access records and monitoring capabilities that allow organisations to reconstruct events and investigate potential incidents [2]. In contrast, unauthorised communication channels may not provide reliable auditing mechanisms, making it difficult to determine who accessed or distributed the information.
Human factors also contribute significantly to the use of unauthorised channels [7]. Operational pressure, lack of awareness, or the temporary unavailability of official communication systems may lead employees to seek alternative methods for transmitting information. Although these actions may be intended to maintain operational continuity, they can unintentionally introduce serious security vulnerabilities.
For these reasons, organisations must implement strict policies, technical controls and continuous training programmes to prevent the use of unauthorised communication channels and ensure that classified information is transmitted only through approved and secure systems.

3. Methodology

This study adopts a qualitative case study approach focused on the analysis of a real-world communication security incident involving the improper use of an unauthorised communication channel within a governmental environment. The selected case, commonly referred to as the “2025 Signal group chat leak” [8], was chosen due to its relevance to operational communication security, policy compliance and the handling of sensitive information in high-security contexts.
Multiple categories of sources were used to support the analysis, including international security standards and frameworks (NIST, ISO and NATO publications), cybersecurity guidelines published by ENISA and the NSA, publicly available governmental information, technical reports and media coverage related to the incident.
The operational timeline of the incident was reconstructed through cross-analysis of publicly available reports and statements describing the sequence of events, participant involvement and disclosure process. The analysis focused on identifying failures across three main dimensions: procedural failures, technical failures and human factors. Procedural failures were identified through comparison between observed actions and recognised communication security practices. Technical failures were assessed based on the absence or insufficiency of preventive controls such as monitoring, auditing, access validation and Data Loss Prevention mechanisms. Human factors were analysed through behavioural elements such as operational pressure, convenience-driven decisions and insufficient verification practices.
Risk evaluation was conducted qualitatively by assessing the likelihood and potential impact associated with the identified vulnerabilities. The analysis particularly considered risks affecting confidentiality, integrity, accountability and operational oversight.
This study reviews certain limitations. The analysis is based exclusively on publicly available information and does not include access to classified material, internal governmental investigations or official forensic reports. Consequently, some operational details may remain incomplete or subject to uncertainty.

4. State of the Art

The growing dependence on digital communication systems has made secure information exchange a central concern for both public and private organisations. In operational and security-sensitive environments, the misuse of unauthorised communication channels is no longer viewed solely as a procedural failure, but as a broader governance and risk management issue. Current research and professional practice increasingly recognise that incidents involving personal email accounts, messaging applications or unapproved cloud services are often linked to a combination of technological gaps, organisational culture and human behaviour [7].
The state of the art in this field therefore combines regulatory frameworks, technical safeguards and behavioural approaches. International standards and security frameworks provide guidance on how organisations should control information flows, restrict the use of non-approved systems and respond to communication-related incidents [9]. At the same time, modern technical solutions such as Data Loss Prevention (DLP), monitoring systems, identity management tools and network access controls are widely used to detect and prevent unauthorised transmissions of sensitive data.
Recent studies also emphasise the importance of usability and operational continuity. When authorised systems are unavailable, slow or overly complex, users may bypass formal procedures in favour of faster alternatives [5]. For this reason, contemporary security strategies increasingly focus not only on enforcement, but also on designing secure communication systems that remain practical and efficient for users.
This section reviews the main security standards, organisational policies and technical controls currently used to prevent unauthorised communication practices and strengthen the protection of sensitive information in operational environments.

4.1. Security Standards and Policies

Security standards and organisational policies play a fundamental role in preventing the use of unauthorised communication channels [10]. They establish the rules, responsibilities and control mechanisms required to ensure that sensitive information is transmitted only through approved systems. Without a clear regulatory framework, organisations may face inconsistent practices, weak accountability and increased exposure to data leakage incidents.
One of the most widely recognised standards in this area is ISO 27001 (International Organization for Standardization), which provides requirements for establishing an Information Security Management System (ISMS). The standard promotes a risk-based approach to information security and requires organisations to implement controls related to access management, communication security, incident response and continuous improvement [11]. In the context of communication channels, ISO 27001 encourages the definition of formal procedures for secure information transfer and the protection of data during transmission.
Another important reference is the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the related NIST SP 800-series publications. These frameworks emphasise governance, asset protection, monitoring, detection and response capabilities [2,10]. They are particularly relevant for organisations that require strong operational resilience and detailed security controls over networks and communications infrastructure.
In defence and governmental environments, additional regulations often apply. Military organisations and institutions handling classified information typically maintain internal communication security policies that define which systems are authorised, how classified information may be transmitted and what actions must be taken in case of misuse or compromise [1]. Such policies usually include mandatory encryption, logging requirements, approval procedures and reporting obligations.
However, the existence of standards alone is not sufficient. Effective implementation depends on regular training, audits, enforcement mechanisms and management commitment [7]. Several studies demonstrate that organisational compliance with cybersecurity policies is strongly influenced by management support, user awareness and institutional security culture [12]. Policies must also remain realistic and operationally viable, otherwise, users may ignore them in favour of faster but insecure alternatives. For this reason, current best practice combines formal standards with practical procedures that support secure behaviour while maintaining operational efficiency.

4.2. Technical Controls to Prevent Data Leakage

Technical controls are essential for preventing the unauthorised transmission of sensitive information and reducing the risk of data leakage through non-approved communication channels [6]. While policies and training establish expected behaviour, technical safeguards provide continuous enforcement and monitoring capabilities that do not depend solely on user compliance. In modern organisations, these controls form a critical layer of defence against both accidental and intentional misuse of communication systems.
One of the most widely adopted solutions is DLP technology. These systems monitor, detect and block attempts to transmit sensitive information through unauthorised channels such as personal email accounts, external cloud services, removable media or messaging platforms. These tools can inspect content based on keywords, document labels, file types or predefined security rules, allowing organisations to identify suspicious transfers before data leaves the controlled environment [10].
Another important measure is email security filtering. Secure email gateways can restrict outbound messages to external domains, scan attachments, apply encryption policies and prevent users from sending classified or confidential material through unapproved addresses. Similar controls can be extended to web traffic through proxy systems capable of blocking access to unauthorised file-sharing platforms or communication applications [13].
Identity and Access Management (IAM) solutions also contribute significantly to data protection. By enforcing strong authentication, role-based access control and user accountability, IAM systems reduce the likelihood of unauthorised users accessing or distributing sensitive information. Multi-factor authentication further strengthens protection by reducing the risk of credential compromise.
Additional controls include network segmentation endpoint protection, security monitoring tools and centralised logging systems. These mechanisms help detect anomalies, contain incidents and preserve evidence for investigation [14].
However, technical controls are most effective when integrated into a broader security strategy. Poorly configured or overly restrictive systems may encourage users to bypass official tools [7]. Therefore, organisations should combine strong technical safeguards with usability, training and regular reviews to ensure both security and operational effectiveness.

4.3. Research Gap and Scientific Contribution

Existing literature on secure communication systems, shadow IT and insider threats demonstrates that employees frequently bypass authorised platforms when official communication mechanisms are perceived as operationally restrictive, inefficient or unavailable [15]. Research on shadow IT practices shows that unofficial communication tools such as WhatsApp, Signal and Telegram are commonly adopted in organisational environments to improve usability and operational speed, often outside institutional oversight and security governance frameworks [16]. Recent research has further demonstrated that encrypted messaging applications frequently create governance and monitoring limitations in institutional environments despite providing strong cryptographic protection [15]. Studies further indicate that these practices significantly reduce organisational visibility, traceability and control over sensitive information flows.
Research on policy non-compliance and cybersecurity behaviour also highlights the influence of human and organisational factors in security incidents. Existing studies demonstrate that operational pressure, usability concerns, weak security culture and excessive dependence on user discretion frequently contribute to procedural deviations and insecure communication behaviour. In high-pressure operational environments, users often prioritise efficiency and mission continuity over strict compliance with institutional communication policies.
The insider threat literature additionally emphasises that security incidents are not exclusively associated with malicious actors. Previous research demonstrates that accidental insider actions and misuse of authorised access frequently contribute to operational security incidents in high-sensitivity environments [17]. Accidental disclosures, misuse of authorised access and communication errors performed by trusted personnel represent a major source of operational security compromise. Current research identifies insufficient monitoring, weak access validation procedures and lack of behavioural controls as recurring factors in insider-related incidents.
Although secure messaging applications provide strong end-to-end encryption, recent studies demonstrate that these platforms still present important limitations regarding metadata exposure, auditing capabilities, institutional governance and compliance with governmental record-keeping requirements. Existing research therefore suggests that encryption alone is insufficient to guarantee secure communications in governmental or military environments where accountability, monitoring and operational oversight are critical requirements.
Despite the growing body of literature on shadow IT, secure messaging and insider threats, limited research has examined the operational security risks associated with the use of commercial encrypted messaging applications in high-sensitivity governmental environments [18]. Systematic literature reviews also indicate that limited research has addressed the intersection between secure messaging applications, operational security and governmental communication governance [18]. Existing studies predominantly focus either on technical security properties or on general organisational policy compliance, while insufficient attention has been given to the interaction between human behaviour, operational pressure, governance limitations and communication security failures in real-world governmental incidents.
This study contributes to the existing literature by providing a technical-operational analysis of the 2025 Signal leak through an integrated COMSEC-oriented perspective combining procedural analysis, human factors, operational security assessment and institutional governance evaluation. The article further contributes by proposing a structured analytical framework for examining communication security failures involving unauthorised encrypted communication platforms in sensitive operational environments.

5. Results

This section reviews a technical-operational analysis of a real-world incident involving the improper use of an unauthorised communication channel. The case is based on the widely reported “Signal group chat leak” (2025), which occurred within the United States government [8]. The incident involved the discussion of sensitive military-related information through a non-approved messaging platform, leading to unintended exposure.
The objective of this study is to analyse the operational context and reconstruct the sequence of events that contributed to the incident.

5.1. Operational Context

The incident took place within the United States governmental and national security environment, involving senior officials responsible for defence and foreign policy decision-making. This context includes institutions linked to national security, intelligence and military operations, where the handling of sensitive information is subject to strict regulatory and procedural controls [10].
In such environments, communication involving operational or military-related information must be conducted through authorised and accredited government communication systems, designed to ensure confidentiality, integrity and traceability [5]. These systems typically include secure networks, classified communication platforms and monitored infrastructures that comply with national security policies and legal requirements.
The actors involved in this case included senior government officials, advisors and employees participating in discussions related to military operations, reportedly associated with ongoing activities in regions such as the Middle East, including Yemen [8]. Given the nature of the information, communications should have been restricted to secure and authorised channels [1]. However, instead of using official systems, participants relied on the Signal messaging application1 a commercially available encrypted platform. Although Signal provides strong encryption, it is not authorised for the transmission of classified or operationally sensitive government information due to limitations in auditing, centralised control and compliance with official record-keeping requirements [10].

5.2. Incident Description

The incident results in unintended exposure to an external party. The following image reconstructs the sequence of events based on publicly available information [19].
Figure 2. Operational flowchart of the Signal group chat incident: sequence of events, failures and consequences. Author’s own elaboration.
Figure 2. Operational flowchart of the Signal group chat incident: sequence of events, failures and consequences. Author’s own elaboration.
Preprints 217977 g002
T0 – Creation of the Communication Channel. A group chat is created using the Signal messaging application by senior United States government officials to facilitate discussions related to military operations. The platform is selected due to its ease of use and perceived security features, including end-to-end encryption. However, the use of this application does not comply with official communication policies governing sensitive information [8].
T1 – Inclusion of Participants. Multiple participants, including senior officials and advisors, are added to the group. During this process, an external individual, a journalist, is mistakenly included in the conversation. This error highlights the absence of formal participant validation procedures typically required in authorised communication systems.
T2 – Transmission of Sensitive Information. Participants begin exchanging information related to military planning and operational activities, reportedly connected to ongoing operations in regions such as Yemen. Although the platform provides encryption, the information is transmitted outside authorised government-controlled systems, resulting in a loss of institutional oversight and control.
T3 – Unauthorised Exposure. The presence of the unintended participant leads to the exposure of sensitive information to an external entity. Due to the nature of the platform, there are no centralised monitoring or real-time detection mechanisms capable of preventing or immediately identifying the breach.
T4 – Public Disclosure. The incident becomes publicly known when the external participant discloses the existence of the group chat and its contents. At this stage, the information is no longer contained within controlled environments, significantly increasing the potential impact.
T5 – Response and Investigation. Following public disclosure, the incident triggers internal reviews and external scrutiny. Authorities assess the extent of the exposure, identify procedural and operational failures and evaluate compliance with established communication security policies .

6. Technical-Operational Analysis

This section reviews a structured analysis of the incident, focusing on the identification of failures, the causal chain that led to the event and the associated risks.
The objective is to determine how procedural, technical and human factors contributed to the improper use of an unauthorised communication channel and the resulting exposure of sensitive information.

6.1. Procedural Failures

The incident reveals multiple failures across procedural, technical and human domains, demonstrating a breakdown of established communication security practices [7].
Procedural failures are particularly evident in the use of an unauthorised communication platform for discussing sensitive operational information. Established policies governing communication security require that such information be transmitted exclusively through approved and monitored systems [1]. The decision to use a commercial messaging application indicates either non-compliance with existing procedures or the absence of effective enforcement mechanisms. Additionally, there was a failure in participant validation, as no formal verification process was applied before adding individuals to the communication group [20].
Technical failures are also present, primarily in the lack of preventive controls capable of restricting or detecting the use of unauthorised communication channels [2]. The absence of DLP mechanisms, network-level restrictions, or endpoint controls allowed sensitive information to be transmitted outside controlled systems without immediate detection. Furthermore, the use of a platform without centralised logging or monitoring capabilities prevented real-time oversight and delayed incident detection [14].
Human factors played a critical role in the incident. The mistaken inclusion of an external participant demonstrates a lack of attention to detail and insufficient verification practices. In addition, the decision to prioritise convenience and speed over compliance with security procedures suggests inadequate training or a weak security culture [7,10]. Similar behavioural patterns have been identified in previous studies examining policy non-compliance and informal technology usage in operational environments. Operational pressure and reliance on informal communication tools may have further contributed to the deviation from authorised practices.
Together, these failures highlight systemic weaknesses in both organisational controls and user behaviour. Table 1 presents the relationship between the identified failures, their operational consequences and the corresponding mitigation measures applicable to similar communication security incidents.

6.2. Causal Analysis

The incident can be understood as the result of a chain of interconnected failures rather than a single isolated mistake. At the root level, the primary cause lies in the use of an unauthorised communication platform for operational discussions. This decision created an institutional control, where standard security mechanisms such as monitoring, auditing and access validation were absent [6].
A key contributing factor was the lack of strict enforcement of communication policies. Although formal rules likely existed, they were either not sufficiently enforced or not perceived as mandatory by the users. This gap between policy and practice allowed informal communication methods to be used without immediate consequences.
The inclusion of an unauthorised participant reviews a direct trigger of the incident. This human error was not mitigated by any technical or procedural safeguards such as participant verification, access confirmation or automated warnings. In authorised systems, such mechanisms would typically act as barriers to prevent or detect this type of error [10].
Another contributing factor is the organisational reliance on user discretion in high-pressure environments. The perceived need for rapid communication may have led users to bypass official systems in favour of more convenient alternatives [7]. This reflects a broader issue in which usability and operational efficiency are not sufficiently aligned with security requirements.
The incident therefore illustrates how communication security failures often emerge from the interaction between human behaviour, organisational culture and insufficient technical enforcement mechanisms.

6.3. Risk Assessment

The incident reviews significant risks across multiple dimensions of information security, particularly affecting confidentiality, integrity, availability and organisational accountability. This image illustrates a risk assessment matrix used to evaluate and classify risks according to their likelihood and impact.
Figure 3. Likelihood vs impact matrix. Author’s own elaboration.
Figure 3. Likelihood vs impact matrix. Author’s own elaboration.
Preprints 217977 g003
The most critical impact is on confidentiality, as sensitive military-related information was exposed to an unauthorised external party [1]. Once transmitted through an uncontrolled platform, the organisation loses the ability to restrict access, prevent duplication, or ensure deletion of the information [6,21]. This creates a high risk of further dissemination and potential exploitation.
In terms of integrity, although there is no direct evidence that the information was altered, the use of an unauthorised platform introduces the possibility of manipulation or misinterpretation. The absence of controlled communication channels reduces the assurance that the information remains accurate and unmodified [3].
The impact on availability is less direct but still relevant. The incident may lead to operational disruptions, including temporary suspension of communication activities, system reviews or restrictions on information sharing while the situation is being assessed [11].
A significant additional concern is the loss of traceability and accountability. Unauthorised communication platforms typically lack reliable logging and auditing mechanisms, making it difficult to reconstruct events, assign responsibility or provide verifiable evidence [11]. This limitation affects both incident response and potential legal or administrative actions.
From a risk perspective, the likelihood of such incidents is considered moderate to high in environments where informal communication tools are accessible and policies are not strictly enforced. The impact, however, is high due to the sensitivity of the information involved [10]. As a result, the overall risk level can be classified as high, requiring immediate corrective actions and long-term preventive measures.

7. Corrective and Preventive Measures

To address the failures identified in the incident and reduce the likelihood of recurrence, a combination of corrective and preventive measures must be implemented [10,11]. These measures should cover technical, procedural and organisational aspects, ensuring both immediate containment and long-term improvement of communication security practices.
In the short term, immediate corrective actions are required to contain the incident and limit further exposure of sensitive information. All use of the unauthorised communication platform must be immediately terminated and participants formally instructed to cease any exchange of operational information through non-approved channels [5,10]. Where possible, attempts should be made to remove or delete the shared information. however, given that the data has already been transmitted outside controlled systems, complete recovery cannot be guaranteed [6]. At the same time, an internal incident response process must be initiated, including identification of all individuals involved, assessment of the extent of exposure and verification of whether the information has been accessed, copied, or further disseminated. Temporary restrictions on user accounts involved in the incident may also be necessary to prevent additional unauthorised actions during the investigation.
From a preventive perspective, organisations must strengthen their communication security framework to address the root causes of the incident. This includes the implementation of technical controls capable of restricting the use of unauthorised communication channels, such as Data Loss Prevention (DLP) systems, application control mechanisms and network-level filtering to block access to non-approved platforms [10]. In addition, monitoring systems and logging capabilities should be enhanced to ensure that anomalous communication behaviour can be detected in a timely manner.
Procedural improvements are equally important. Organisations must clearly define and enforce policies specifying authorised communication channels and the conditions under which sensitive information may be transmitted [9,10]. These policies should include formal approval processes, clear responsibilities and mandatory compliance requirements. Regular audits should be conducted to verify adherence to these procedures.
Furthermore, user awareness and training must be reinforced. Employees should receive regular training on communication security, including the risks associated with unauthorised platforms and the importance of following established procedures. Training should also address decision-making under operational pressure, emphasising that convenience must not override security requirements. For each implemented measure, verifiable evidence should be maintained, including incident reports, system configuration records, training logs and audit results [2]. Table 2 maps the identified communication security weaknesses to recognised cybersecurity controls and governance frameworks applicable to governmental and high-security operational environments.

8. Discussion

The incident highlights several important lessons regarding the management of communication security in environments handling sensitive information. One of the primary lessons is that strong technical tools alone are not sufficient to ensure security [7]. Even when encryption is used, as in the case of the Signal application, the absence of institutional control, auditing and policy compliance can result in significant vulnerabilities [3]. Security must therefore be understood as a combination of technical, procedural and human factors.
Another key lesson concerns the importance of strict adherence to authorised communication channels. The use of informal or unauthorised tools, even for convenience or efficiency, introduces risks that can quickly escalate into serious incidents [22]. Organisations must ensure that authorised systems are not only secure but also usable and available, reducing the incentive for users to bypass them [5].
The incident also demonstrates the critical role of human error and behavioural factors. The accidental inclusion of an unauthorised participant highlights the need for verification mechanisms and increased awareness among users. Training programmes and a strong security culture are essential to reduce the likelihood of such errors [7]. From an organisational perspective, the case illustrates the need for continuous monitoring, auditing and enforcement of policies. A gap between formal procedures and actual practices can create systemic vulnerabilities that remain undetected until an incident occurs.
In terms of applicability, the lessons derived from this case are relevant to any organisation that handles sensitive or classified information, including military, governmental and critical infrastructure environments. The findings are also relevant for critical systems, including energy, transport, telecommunications, healthcare and public administration environments, where the use of unauthorised communication channels can weaken operational control, reduce traceability and increase the risk of service disruption. The principles identified can be generalised to improve communication security practices, strengthen operational discipline and reduce exposure to risks associated with unauthorised communication channels [10].

9. Conclusions

The improper use of unauthorised communication channels reviews a significant operational and security risk in environments handling sensitive or classified information. The analysed case demonstrated how the use of a non-approved encrypted messaging platform, combined with procedural weaknesses and human error, resulted in the exposure of sensitive operational information outside authorised governmental control.
The study showed that failures in policy enforcement, monitoring, participant verification and organisational oversight can compromise confidentiality, traceability and accountability. The incident also highlighted that strong encryption alone is insufficient when communication systems operate outside institutional governance structures and approved security frameworks.
From a technical-operational perspective, the analysis reinforces the importance of combining technical safeguards, operational procedures and continuous user awareness. Measures such as Data Loss Prevention technologies, access validation mechanisms, continuous monitoring, secure communication policies and regular security training are essential to reduce the likelihood of similar incidents.
This work also contributes to the discussion surrounding the growing use of informal or “shadow IT” communication solutions in high-security environments. The findings demonstrate how operational convenience and communication efficiency may lead personnel to bypass authorised systems, creating vulnerabilities even within organisations operating under strict security regulations.
The study has certain limitations, particularly the reliance on publicly available information and the absence of access to classified reports or internal governmental investigations. Future work could expand the analysis through comparative case studies involving other communication security incidents, insider threat scenarios or unauthorised collaboration platforms used in governmental and military environments.
By extending the analysis to critical systems, this study reinforces that secure communication governance is essential not only for classified governmental environments, but also for organisations responsible for essential services and critical infrastructure.
Ultimately, the case demonstrates that secure communication practices remain fundamental for protecting operational integrity, maintaining institutional accountability and preserving national security interests in modern digital environments.

Abbreviations

The following abbreviations are used in this manuscript:
COMSEC Communication Security
DLP Data Loss Prevention
ENISA European Union Agency for Network and Information Security
IAM Identity and Access Management
ISMS Security Management System
ISO International Organization for Standardization
NATO North Atlantic Treaty Organization
NIST National Institute of Standards and Technology
NSA National Security Agency
OSINT Open-Source Intelligence

References

  1. NATO. Security Within the North Atlantic Treaty Organization. 2020. [Google Scholar] [CrossRef] [PubMed]
  2. NIST SP 800-137; Assessing Information Security Continuous Monitoring (ISCM). 2020.
  3. NIST SP 800-52; Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. 2019.
  4. Samarin, N.; Sanchez, A.; Chung, T.; Juleemun, A. D. B.; Gilsenan, C.; Merrill, N.; Reardon, J.; Egelman, S. The Medium is the Message: How Secure Messaging Apps Leak Sensitive Data to Push Notification Services; Creative Commons, 2024. [Google Scholar]
  5. National Security Agency. Mobile Device Best Practices. 2023. [Google Scholar] [CrossRef] [PubMed]
  6. ENISA. Data Protection Engineering: From Theory to Practice; 2022. [Google Scholar]
  7. ENISA. Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity; 2018. [Google Scholar]
  8. Signal chat flouted rules on classified intel, say former defense officials. Wash. Post. 2025. [CrossRef]
  9. ISO27001; Information security, cybersecurity and privacy protection — Information security management systems — Requirements. 2022.
  10. Security and Privacy Controls for Information Systems and Organizations. NIST SP 800-53; Rev. 5. 2020.
  11. NIST SP 800-61; Computer Security Incident Handling Guide. 2012.
  12. Mansour Naser Alrajaa, U. J. B. M. A. Information security policies compliance in a global setting: An employee’s perspective; ELSEVIER, 2023. [Google Scholar]
  13. ENISA, E-mail security. 2010.
  14. NIST SP 800-46; Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. 2016.
  15. Homoliak; Toffalini, F.; Elovici, Y.; Ochoa, M. Insight into Insiders and IT: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Countermeasures. ACM Computing Surveys, 2018. [Google Scholar]
  16. Silic, D. S. a. G. O. Mario. Influence of Shadow IT on Innovation in Organizations; CSIMQ, 2016. [Google Scholar]
  17. Saxena, N.; Hayes, E.; Bertino, E.; Ojo, P.; Choo, K.-K. R.; Burnap, P. Impact and Key Challenges of Insider Threats on Organizations and Critical Businesses; Electronics, 2020. [Google Scholar]
  18. Silic, M. a. B. A. Shadow IT–A view from behind the curtain. In Computers & Security; PRE-PRINT, 2014. [Google Scholar]
  19. Singh, P.; Sharma, A. A systematic literature review on insider threats. 2022. [Google Scholar] [CrossRef] [PubMed]
  20. Goldberg, J. The Trump Administration Accidentally Texted Me Its War Plans; The Atlantic, 2025. [Google Scholar]
  21. NIST SP 800-63B-4; Digital Identity Guidelines Authentication and Authenticator Management. 2020.
  22. ENISA. Cloud Security Guide for SMEs. 2015. [Google Scholar] [CrossRef] [PubMed]
Table 1. Conceptual comparison of operational communication failure modes and mitigations.
Table 1. Conceptual comparison of operational communication failure modes and mitigations.
Preprints 217977 i001
Table 2. Governance framework mapping to operational communication controls.
Table 2. Governance framework mapping to operational communication controls.
Preprints 217977 i002

Notes

1
Signal is a free, open-source and encrypted messaging application focused on privacy and secure communications.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.
Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.
Prerpints.org logo

Preprints.org is a free preprint server supported by MDPI in Basel, Switzerland.

Subscribe

© 2026 MDPI (Basel, Switzerland) unless otherwise stated

Accessibility

Disclaimer

Terms of Use

Privacy Policy

Privacy Settings