The hoaxer posed as a senior Downing Street aide and managed to hold an email conversation with the home secretary on her personal email account. Rudd revealed she was working with her special adviser Mohammed Hussein on a series of announcements to be made in August before realising she was corresponding with a hoaxer.
The self-styled “email prankster”, who uses the moniker Sinon Reborn, set up an email address in the name of Robbie Gibb, Theresa May’s recently appointed communications chief, using the free email service GMX. He emailed Rudd’s publicly available parliamentary email address and she replied using a separate personal email account.
The “relative ease” with which the 39-year old website designer from south Manchester claims to have tricked Rudd is likely to be embarrassing for the home secretary, who has overall responsibility for cyber security.
One computer security expert warned that external email systems, such as Microsoft Outlook, which Rudd used with the hoaxer, are more vulnerable to intrusion than government email accounts.
When Rudd realised she was not talking to Gibb, she ended the correspondence, but not before she had talked about plans for “positive announcements” and a forthcoming holiday.
“I managed to speak to a home secretary with relative ease on her personal email address,” Reborn told the Guardian. “I replied again saying: ‘Don’t you think you should be more aware of cyber security if you are home secretary?’ and I never got a reply from that.”
The same hoaxer has tricked the son of the US president, Eric Trump, the next US ambassador to Russia, Jon Huntsman Jr, and the former White House communications chief Anthony Scaramucci, sparking an investigation in Washington into cyber-security. He has also duped the governor of the Bank of England, Mark Carney, and Barclays boss Jes Staley by setting up fake email accounts.
A Home Office source confirmed that the exchange had taken place, but said Rudd does not use her personal email address to discuss government business. “As the email exchange shows, she rapidly established that this was a hoax and had only exchanged pleasantries up to that point.”
Christopher Weatherhead, a technologist at Privacy International, warned that such accounts are vulnerable.
“A system provided by a third party, such as Outlook, may not only be accessible to an individual, but also to the staff of the hosting company, advertising partners and potentially foreign governments - either through direct access to the companies’ system or through intrusion,” he said. “For example, as American companies, Microsoft and Google may be required to give access to the NSA. Considering the sensitivity of the information handled by parliamentarians, both from their constituency and government business, it is critical that communications and information remain secure.”
The anonymous hoaxer told the Guardian he decided to see if he could fool UK government ministers when he spotted that the prime minister had hired Gibb, a senior BBC journalist, to run Downing Street’s communications. He set up firstname.lastname@example.org and sent emails to publicly available addresses for Boris Johnson, the foreign secretary, Philip Hammond, the chancellor, and Rudd, saying it was “great to be on board and that I’d be talking to them at some stage and that if they’d got any questions, my door is always open”.
Only the home secretary replied. From her personal account, she said: “Thanks for your email Robbie. I am delighted you are on board. We must have a chat when you are a bit settled … Meanwhile Mo and I are working on plans to ensure we have some positive announcements during Aug, when I expect to be on holiday – at last! Best, Amber.”
Shortly afterwards, he replied: “Yes, a proper sit-down would be superb. I’m just finding my feet as I am sure you can imagine. I’m excited though. Positive announcements sound ideal! What is it you are working on, if you don’t mind me asking? Sadly a summer holiday for myself looks unlikely. Maybe autumn, unlike you I haven’t worked hard enough to deserve one as yet! Robbie.”
After a pause of almost two hours Rudd realised he was not Gibb and replied: “Well, as you can imagine a few things on the agenda but getting tough on people impersonating others is definitely up there. Amber.”
“I sent a message to Amber afterwards, as me but not saying my name, saying: ‘Look, I was only trying to make a point about your security there. I am from Manchester which was bombed not all that long back.”
The hoaxer said he first started carrying out email pranks at work last year, pretending to be his boss in emails to colleagues. He impersonates others by setting up email addresses in their names using free services like Gmail and Mail.com.
“I think I quite enjoy the challenge of mimicking somebody’s responses and character,” he said. “In a way I am like an agoraphobic actor. A lot of people ask if I am doing it from my mum’s basement. That’s the image of a hacker: a cellar surrounded by big servers whirring away with death metal music in the background. In fact, most of it was done at home lying on my bed watching Netflix.”
Reborn’s first public prank – on Barclays chief executive Jes Staley - came after the prankster ran up a huge gambling debt. He said he suffers from mental health problems, which include obsessive behaviour. He responded to the offer of a £5 free bet on a phone app and ran up £1,000 in losses. He went to Barclays to borrow £500, but the loan was declined. He said he explained that he had gambling debts. He claims the bank’s app later informed him he had approval for a £20,000 loan. Within four days he had borrowed £15,000 and gambled it away on online roulette.
“I was in a bit of a psychotic episode and it just kept on going and wouldn’t stop,” he said.
He decided to complain to Barclays and was given the reply that he had not told them he was gambling before the loans were issued. He said he sent a note directly to Jes Staley “pouring my heart out” and received a letter saying they would reconsider the case. An agreement was reached to reduce the loan repayments based on what he could afford, but that meant taking every spare penny he had, he said.
He said he decided to prank Staley in what he described as a modern version of being “chained to his gates trying to get his attention”. He noticed that Staley had been challenged by shareholders at Barclays AGM and had been defended by the chairman, John McFarlane.
“I quickly set up a Gmail account for Mcfarlane,” he said. “I looked at his face, thought he was probably classically educated, might like a bit of Scotch, so I would stick a bit of Shakespeare in there.”
He entitled the first email “the fool doth think he is wise”, and wrote: “I do feel we’ve ceased the rally for you [sic] head today. Surely the fickle-minded nature of the angry few will help tie up any loose ends. You owe me a large Scotch.”
Staley replied, saying: “You are a unique man Mr McFarlane.”
What followed was a bizarre exchange, with Staley saying he wanted to hear McFarlane ad-lib on guitar because “you have all the fearlessness of Clapton” and the fake McFarlane penning a nonsense poem with the first letter of each line spelling “Whistleblower”.
He tipped off the Financial Times and it ran the story. “It was nice to feel that I owed him money, but I probably cost him more than that in reputation.”
Barclays declined to comment due to client confidentiality.
Last month Reborn targeted the White House. Attempts to get Donald Trump’s email failed, but the format for White House aides was easier. He tried various prefixes for different targets. The first one to come back was Eric Trump.
“I was pretending to be his brother,” he said. “He sent me the reply, ‘Is this you?’ I sent one back saying ‘Yes, why?’ and he just replied as if he was responding to his brother. Apparently that was all the verification he required and I was now in the inner sanctum.”
Reborn said he has already identified more targets and that he had just sent hoaxes to “a couple of Trump supporters and a reality TV star”.
guardian.co.uk © Guardian News and Media Limited 2010