Among a series of high-profile digital security missteps by government officials this year, none has drawn quite so much scrutiny as recent blunders attributed to U.S. Secretary of Defense Pete Hegseth. These incidents have reignited concerns surrounding the handling of sensitive government information through digital platforms.
Earlier, Jeffrey Goldberg, editor-in-chief of The Atlantic, disclosed that he had inadvertently been included in a Signal group chat by U.S. National Security Advisor Michael Waltz, in which multiple senior government officials openly discussed detailed military operations against Houthi forces in Yemen. Alarmingly, these conversations explicitly cited planned targets, locations, and timing of potential military strikes. While everyone makes occasional mistakes in managing their digital interactions, accidentally revealing highly classified military intelligence to a journalist certainly exceeds typical online embarrassments such as mistakenly liking an old social media post.
Recently, matters escalated further as reports emerged indicating Hegseth himself had again mismanaged classified intelligence using Signal. This time, sensitive information detailing strategic plans for operations in Yemen was shared in a chat group containing Hegseth’s lawyer, his brother, and his wife—none authorized or cleared to receive privileged government communications.
These breaches are particularly troubling. However, history reminds us that they are far from isolated events. Digital missteps involving officials and technology have repeatedly occurred across governments globally, leading to compromised security or personal safety.
In 2018, military personnel unintentionally exposed the locations of covert military bases through Strava, a fitness-tracking and social network app. Intended for athletes to record workouts, Strava defaults all user activities to a public setting unless deliberately changed. The company’s published global heat map inadvertently highlighted the exact locations and layouts of remote military installations due to concentrated user activity—mostly from foreign soldiers stationed in countries like Afghanistan and Iraq. Further complicating operational security, accessible user-profiles linked to specific running routes enabled easy identification of personnel stationed at these secret bases, a significant and obvious security vulnerability.
In another notably public example, BuzzFeed News discovered U.S. President Joe Biden’s Venmo account in 2021. Since Venmo, a peer-to-peer payment app, shares transactions publicly by default, reporters could easily identify members of Biden’s family and administration and build an extensive picture of their social circles. Even when set to private, Venmo accounts reveal users’ friends lists, leaving potential vulnerabilities open.
These challenges reemerged recently as officials, including Hegseth and Waltz, were also discovered through easily identifiable and publicly searchable Venmo accounts, demonstrating systemic digital vulnerabilities that persist years later.
Even advanced encrypted services provide limited protection against basic operational security failures. In 2017, Catalonia’s former president, Carles Puigdemont, fled to Belgium following Spain’s crackdown on Catalan independence efforts. During a public event a few months later, a journalist’s camera accidentally captured sensitive messages being exchanged via encrypted chat between Puigdemont and former Catalan health minister Toni Comín. These messages revealed Puigdemont privately expressing doubts about the prospects of independence, severely embarrassing the separatist movement.
Incidents such as these underscore a fundamental lesson often overlooked by even the highest-ranking officials: technology alone cannot guarantee security. Human error remains an ever-present vulnerability, highlighting the need for continual vigilance and ongoing digital security training, especially among senior officials entrusted with safeguarding sensitive information.
