What does the 2025 "Signal-Leak" affair illustrate about the human factor in information security?
Even at the highest security level, humans bypass approved channels for convenience — top US officials discussed an imminent military strike in a Signal group chat that accidentally included a journalist.
The case: members of the US administration (including the Secretary of Defense) coordinated military strike details — launch times, weapons platforms, targets — in a consumer messaging app, and a journalist had accidentally been added to the group. The Pentagon launched an investigation.
Why it's the perfect human-factor case study:
- No technology failed. Signal's encryption worked exactly as designed. The breach was 100% human behavior: wrong tool for the classification level, no membership verification, convenience over procedure.
- Hierarchy is no protection — these were principals with maximal clearance and maximal training. Awareness is not solved by seniority.
- Shadow IT at the top: choosing a handy unofficial channel over cumbersome official ones is exactly what employees everywhere do when secure processes have high friction (→ Handlungskosten, in PMT terms).
Tip: Use cases like this in awareness campaigns — real, recent, prominent incidents make threats real (Bedrohung real machen) far better than abstract warnings.
Go deeper:
Social engineering (security) — Wikipedia — Wie menschliche Schwächen statt Technik ausgenutzt werden; der Signal-Leak ist ein rein menschlicher Fehlgriff.