The UK foreign secretary's number was discovered by a Guardian reader who used a routine Google search. Having first been uploaded on the web in 2010, it remained online after Raab became foreign secretary and first secretary of state in 2019. After The Guardian contacted the website, the latter removed both Raab's number and personal data.
"The wide availability of Mr Raab’s personal phone number poses serious risks to the privacy and security of the UK foreign secretary", says Pierluigi Paganini, a cybersecurity and intelligence expert. "It exposes the UK's national security to the risk of cyberattacks by nation-state actors and cybercrime organisations".
One of the possible scenarios described by the cybersecurity expert is one in which an attacker could contact the UK politician and trick him into installing a malicious application that could completely take over his device. Sophisticated actors could also use zero-day exploits in mobile operating systems (OS) and applications used by Dominic Raab to compromise his smartphone and access his communications and sensitive data stored on the device, according to Paganini.
"In some cases, the attacks don’t require any user interaction, this means that simply sending a WhatsApp message or an SMS to the victim, it is possible to hack into his phone", he emphasises.
In addition to a potential hacker threat, anyone could potentially bypass official channels to reach out to the foreign secretary and try to blackmail him or "provide him specially crafted fake news that could influence his sentiment on specific topics", the cybersecurity analyst suggests.
This is not the first time that the phone number of a high-ranking British official has found its way into the public domain. In April 2021, it turned out that Prime Minister Boris Johnson's mobile phone number had been available online for the past 15 years after it was published in a think tank press release in 2006. The revelation prompted sharp criticism from Johnson’s political rival, Labour leader Sir Keir Starmer, who said at the time that it was "a serious situation [that] carries a security risk". The Labour leader explained that he had himself changed his number upon becoming director of public prosecutions in 2008. "I have kept it secure since then", Starmer stressed.
"The UK intelligence has already in place specific measures to prevent such kinds of incidents", Paganini underscores. "Members of the government and persons of interest have to use protected devices with specific numbers that are not publicly available".
He laments the lack of awareness of cyber threats among politicians and business executives: "Their bad habits expose their organisations to the risk of cyberattacks", the intelligence expert believes.
Practicing Safe Computing Could Solve the Problem
Other cyber specialists warn about exaggerating the threat of phone numbers being available online.
"I do not see this as damaging. A phone number is simply a phone number", notes Kevin Curran, professor of cyber security at Ulster University and group leader for the Ambient Intelligence & Virtual Worlds Research Group at the Computer Science Research Institute. "My mobile number is on my website. That means nothing. Yes, a scammer could find my mobile and try to send me malware but they still have a lot to do. A mobile number is like an email address. Yes, it identifies someone but it is not a real problem".
While malicious actors could indeed try to reach out to a British official, the latter is supposed to be an adult person that does not click on unverified links and block unknown users who are trying to call him or her.
Although the professor agrees that people should for the most part keep their mobile numbers private, he believes that "there is no real security risk if a number becomes public".
"What matters is that people practice safe computing and understand that you should always be on your guard about any message that arrives in your inbox even if from a ‘friend’ as that message could have been spoofed", Curran underscores. "Simply do not click on links you are not sure about".