When Hitting “Send” Goes Spectacularly Wrong
We all know humans are the mistake prone part of any security plan. Give them a secure channel, a high-stakes mission, or a standard corporate inbox, and somehow, somewhere, someone will still send the crown jewels to the wrong person.
Let’s take a quick tour of three recent “how did that even happen?” moments, spanning the encrypted, the hopelessly unencrypted, and the painfully mundane.
- Signalgate: When “Secure Messaging” Isn’t Secure… Because People
March 2025 gifted us Signalgate, in which high-ranking U.S. officials, including Defense Secretary Pete Hegseth, used the encrypted app Signal to coordinate an actual military strike. The plan? Classified details. The execution? Accidentally adding The Atlantic’s editor, to the chat. Oops. Likely an innocent mistake, but one with possible consequences none the less.
Turns out encryption can’t save you from fat-fingering the wrong contact. The chat reportedly contained aircraft types, missile timelines and, because why stop there, an undercover CIA officer’s name. Epic facepalm. Congress wasn’t thrilled. Investigations followed. Somewhere, a DLP admin screamed into the void.
Security takeaway: The most secure tool in the world still can’t fix “wrong guy in the chat.” - ICE’s MMS Manhunt Fail: Group Chat Roulette
Fast forward to August 2025, when ICE agents running a manhunt accidentally added an unsuspecting civilian to an unencrypted MMS group chat. That was bad enough, but the lucky outsider got an unsolicited peek at a suspect’s Social Security number and surveillance chatter.
Yes, the government sent Social Security numbers over a plain old MMS chat. You read that right: not Signal, not Teams, not even iMessage. MMS. Like it’s 2005 and nobody’s ever heard of encryption. Not a good look, not a good one at all. At least the subject of the manhunt wasn’t the one added. Lemonade from lemons, right?
Security takeaway: If your “secure comms plan” involves MMS, your breach is already baked in and, adding the wrong person just makes it official. - Email Misaddressing: The Office Classic
And then there’s the everyday office blooper reel. Yep, sending sensitive emails to the wrong recipient. A slip of auto-complete, a forgotten “Reply All” trap, or just straight-up mis-typing an address, and boom, your proprietary report is now in the inbox of someone’s dentist. We have all messed up here. It happens. Maybe we are in a hurry to get home in time to catch a “Little House on the Prairie” marathon, or maybe it’s late on Friday and you are concentrating on the upcoming weekend, or perhaps you are just a bit overwhelmed and don’t notice the blunder. It happens and it’s so common we often don’t notice it, right up until compliance or security stops by. Never a fun conversation, and damage can be pretty significant.
Security takeaway: Just because it happens daily doesn’t make it harmless. Small leaks are still leaks. - Why Security Pros Should Care
Here’s the uncomfortable truth: all three of these examples are the same problem. It’s ultimately the sending of sensitive information to someone who shouldn’t have it. The channel used and stakes differ, but the root cause is identical. And if it can happen at the Pentagon, in a federal manhunt, or in your own marketing department, it can happen anywhere. Guess which one is the most common? - So, how can we fight it:
– Use DLP tools with brains – Flag or block when sensitive data is headed somewhere odd. Bonus points for making the user confirm recipients before sending. There’s not a lot you can do for the Signal or MMS flubs, but email is a different story.
– Better recipient controls – Implement Domain allowlists, restricted groups, and external recipient warnings. I was a part of a large DoD organization that was using a reasonably new enterprise email instance, when it was discovered that allowing anyone the ability to send to the “All CONUS” (name was changed to protect the guilty) was a less than great idea. It took days for the “Reply All” chain to die off. It’s good to see that the “replying all to tell people to quit replying to all” thing happens in the civilian world as well as the government. Whoops.
– Training that sticks – Make “double-check before you send” as reflexive as locking your screen. Teaching people to, slow down a bit and give things a look over, is an important thing to teach them. Training is not always about spotting phishing, sometimes the proper use of “BCC” and a quick review of recipients, even looking at the “CC” lines, can make the difference.
– Stop using junk tech for sensitive comms – Looking at you, MMS. Need I say more? For the love of all that is good in the world, don’t send socials or tax IDs via text messages.
- Final Word
• Signalgate: Elite stakes, rookie mistake.
• ICE’s blunder: Wrong tech, wrong time, wrong recipient.
• Email misaddressing: Death by a thousand paper cuts.
No matter the channel, one sloppy add or click can undo millions in security spend. So, monitor your comms, sanity-check your recipients, and maybe, just maybe, save your org from the next headline-worthy “oops.”
(Obligatory mention of my employer, whom I love: You may not know this, but my employer, KnowBe4, has email filtering tools as well. I love that we have graduated from just SAT to dealing with the whole human risk management issue.)