How Did A GCHQ Intern Steal Top-Secret Data? | The Awareness Angle #20
This episode kicks off with a bin bag full of military secrets…
Yes, really. This week on The Awareness Angle, we dig into one of the most surreal data breaches we've seen — confidential MOD documents found scattered across a street in Newcastle. The papers contained shift patterns, access codes, and names of personnel. No cybercriminals, no malware — just a ripped bin bag and a serious failure of physical security.
That story alone would be enough for a full episode, but things only got weirder from there. We also talk about the GCHQ intern who smuggled top secret data out of one of the UK’s most secure environments using his personal phone. It’s a reminder that insider threats don’t always look like spies or saboteurs — sometimes it’s just someone ignoring the rules because they think they can get away with it.
Then there’s the Microsoft Teams phishing campaign that’s using voice calls, fake IT support messages, and Quick Assist to gain remote access to devices. It’s clever, convincing, and another example of attackers mimicking the tools and behaviours we trust most.
We also cover:
-
🐦 The alleged leak of 2.8 billion Twitter/X profiles, possibly from an insider. The data doesn’t include passwords, but it does contain rich profile metadata, making it a goldmine for phishing, impersonation, and social engineering.
-
📱 A new strain of Android malware, known as Crocodilus, that steals crypto by overlaying fake wallet prompts and exploiting accessibility permissions. It’s active in Turkey and Spain, but it’s a clear reminder of the risks of sideloaded apps and granting too much access too quickly.
-
🔗 A breakdown of URL phishing techniques like subdomain spoofing, typosquatting, shortened links, and open redirects. We dig into what they look like, how they work, and how to teach users to spot them without overwhelming them.
-
🧪 A particularly sneaky CAPTCHA phishing trick that uses a fake verification screen to lure users into copying and pasting JavaScript into their browser console — which, of course, gives the attacker full access to the user’s session.
And finally, we look at some of the new UK government plans to mandate breach reporting for critical infrastructure, with potential £100K-a-day fines for non-compliance. It’s a clear sign that regulation is tightening, and that incident response readiness isn’t just nice to have — it’s essential.
From paper documents in the street to phishing links that look almost perfect, this episode is packed with stories that show how fragile security can be when humans are involved. If you’re running a security awareness programme, these stories are gold — weird enough to get attention, real enough to land the message.
Sign up for The Awareness Angle Newsletter today and get notified every time a new episode is released. Each newsletter contains details of the topics discussed and more from the world of Security Awareness.
You're almost there!
To confirm your subscription, please check your inbox for a confirmation email. Click the link in the email to complete your signup and start receiving our newsletter!
If you don’t see the email within a few minutes, check your spam or junk folder, just in case.
Thank you for subscribing!
💬 Episode 19 Discussion Points
🐦 Twitter/X Data Leak – 2.8 Billion Profiles Exposed in Alleged Insider Breach
https://hackread.com/twitter-x-of-2-8-billion-data-leak-an-insider-job/
🪖 MOD Paperwork Breach – Sensitive Military Documents Found in the Street
https://www.bbc.co.uk/news/articles/cwyjed2038ko
📞 Teams Phishing – Attackers Use Teams, Quick Assist, and Vishing for Access
https://www.scworld.com/brief/microsoft-teams-other-tools-exploited-in-new-vishing-scam
🔗 URL Phishing Techniques – How to Spot Suspicious Links and Lookalike Domains
https://tcm-sec.com/how-to-identify-url-phishing/
🕵️ GCHQ Data Breach – Intern Pleads Guilty After Taking Top Secret Info Home
https://www.theguardian.com/uk-news/2025/mar/31/ex-gchq-intern-admits-risking-national-security-with-data-breach
📱 Crocodilus Android Malware – Fake Overlays Used to Steal Crypto Wallet Keys
https://cointelegraph.com/news/andriod-malware-crocodilus-can-take-over-phones-to-steal-crypto
🧪 Fake CAPTCHAs – Phishing Attacks Ask Users to Paste Code in Browser Console
https://medium.com/@__sudocoder__/real-world-clickfix-attack-how-hackers-turn-a-simple-click-into-a-full-breach-2d17415f667e
🚨 UK Cyber Resilience Bill – Critical Infrastructure Must Report Cyber Incidents
https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement
📦 Royal Mail Data Leak – Third-Party Provider Breach Under Investigation
https://www.bleepingcomputer.com/news/security/royal-mail-investigates-data-leak-claims-no-impact-on-operations/amp/
📱 Signalgate – Human Error Exposes U.S. Military Plans in Group Chat
https://cybernews.com/security/trump-signal-chat-human-error/
🎧 OUCH! Now a Podcast – SANS Security Newsletter Gets the Audio Treatment
https://sth-community.sans.org/t/q6yfrfh/ouch-newsletter-now-also-in-podcast
🎟️ National Cyber Security Show – NEC Birmingham, April 8–10
https://www.nationalcybersecurityshow.com/
Missed the episode? Watch it below!