Poland Bans Signal for Officials After Credential‑Compromise Campaign Targets Government Accounts
What Happened – Polish authorities have ordered all government personnel to discontinue use of the Signal messenger after a series of credential‑compromise attacks targeted politicians, military staff and civil servants. Attackers used phishing, fake support messages and malicious QR codes to steal verification codes and take full control of official accounts.
Why It Matters for TPRM –
- State‑level actors are exploiting trusted consumer‑grade messaging apps to infiltrate government communications.
- Social‑engineering attacks bypass encryption, exposing sensitive policy and operational data.
- The shift to a nationally‑hosted platform highlights the risk of relying on third‑party SaaS tools for classified communications.
Who Is Affected – Public‑sector agencies in Poland (government ministries, military, elected officials) and any third‑party vendors that integrate with or support Signal for official communications.
Recommended Actions –
- Review any contracts that permit the use of consumer messaging apps for sensitive data.
- Verify that encryption and authentication controls meet national‑level standards.
- Require proof of secure onboarding, MFA enforcement, and incident‑response procedures for any approved communication tool.
Technical Notes – The attacks leveraged phishing and social‑engineering to obtain verification codes or PINs, enabling full account takeover. No vulnerability in Signal’s end‑to‑end encryption was found, but the credential‑compromise vector allowed attackers to read private chats, group messages and historical conversation logs. The Polish Ministry of Digital Affairs is transitioning staff to mSzyfr Messenger and SKR‑Z, both internally hosted and compliant with national security classifications. Source: Security Affairs