'Little weirdo' shoulder surfer teaches UK cabinet minister a lesson in cybersecurity

Tory comms leaked thanks to a barefooted Johnny Mercer’s wayward situational awareness

In setting the date for the UK's next general election, prime minister Rishi Sunak this week essentially announced the start of open season for political reporters all hunting for the top scoop of the day by any means necessary. He may need, however, to brief his ministers on basic opsec if he's going to stop any more internal memos from reaching the front pages.

On May 22, less than 24 hours before PM Sunak said July 4 would be the day UK citizens decide on their next leader, The Times published a gem sourced from photos taken of veterans' affairs minister Johnny Mercer's laptop on a public train.

It's an example of shoulder surfing – a type of social engineering technique that involves peering at other people's devices to discover secrets like passwords, PINs, sensitive emails, and the like.

We're not sure what's worse here, the cyber hygiene gaffe and abject failure to protect internal party comms from the prying eyes of the British public traveling from Exeter to London, or the fact that along with his laptop Mercer was papped with his bare feet cheesing out the first-class carriage. For shame, Johnny.

For those whose interests extend beyond the mere cybersecurity aspects of this story, the photos revealed Mercer's memo criticizing Downing Street for giving the PM too much airtime and should instead be offering more public speaking gigs to more popular members of the Conservative party, such as Kemi Badenoch and Penny Mordaunt.

Among a long list of complaints, Mercer accused campaign managers of trying to "placate" Sunak and overlooking the likes of Badenoch and Mordaunt in favor of "average performers" such as transport secretary Mark Harper.

Mercer also wrote "I don't feel part of the team", presumably referring to being left out in some way by party leaders. This was after he accused special advisers of being "overpromoted and underskilled" and having "poor political judgments." 

The mind boggles as to why the Tories may not be leaning more heavily on Mercer.

Perhaps more illuminating on the current government's attitude towards voting, Mercer also appeared to suggest that the Conservatives were suppressing votes from specific demographics.

His memo states that he was upset that his attempts to let military veterans, who had previously been turned away from polling stations, use their ID cards to prove their identity when voting had been denied. Downing Street special advisers apparently blocked these proposals because it could also "open the floodgates" and allow students to also use their ID cards too.

Beware of nosy parkers

The idea of shoulder surfing has been around for well over a decade but if you look around for some examples, you'll find more sources simply explaining the concept itself than real-world cases of it causing actual harm.

Mercer's case is certainly the only one this reporter has encountered affecting something as sensitive as a governing political party's internal comms. 

Last year, John Roch of London's Metropolitan Police issued a warning about criminals shoulder surfing people entering PINs for their banking apps and then swiftly stealing the phone to drain their accounts.

While it's not common, Roch said there have been cases where criminals also try the same PIN with other finance apps, and trawl through notes apps for any other credentials of use, presumably before selling the device as quickly as possible.

Over in the US, Daniel Jermaine Usher, 26, of South Los Angeles, was previously found guilty of shoulder surfing elderly ATM users and draining their accounts, and while that's undoubtedly nasty behavior, it's still not as high profile as perusing secret government memos.

We got in touch with the Cabinet Office to ask for comment and find out if ministers are briefed on the dangers of shoulder surfing, but it hadn't responded by the time of publication.

While we wait for a response from the UK gov, we can instead turn to Mercer's X account, which is where he responded to The Times' scoop by calling the public transport snapper a "little weirdo."

"So some little weirdo has gone round snapping my laptop reading private messages from a private email account," Mercer Xeeted. "My shoes and socks were off because I'd just cycled across Dartmoor in the rain. 

"Shoot me now. Or grow up." ®

More about

TIP US OFF

Send us news


Other stories you might like