"A Guardian journalist has negligently disclosed top secret WikiLeaks' decryption passwords to hundreds of thousands of unredacted unpublished U.S. diplomatic cables," according to a statement released by WikiLeaks.
"WikiLeaks has commenced pre-litigation action against the Guardian and an individual in Germany who was distributing the Guardian passwords for personal gain," it said. In particular, WikiLeaks alleged that the Guardian violated the confidentiality agreement that it signed with the whistleblowing group, which dictated that the cables be published by groups in exchange for their "local knowledge," which would be used to "remove the names of persons reporting unjust acts to U.S. embassies."
The suit marks an abrupt change in the tenor of WikiLeaks with the Guardian, which along with the New York Times, Der Spiegel, Le Monde and El Pais were selected by the group to help study, redact, release, and publicize the sensitive diplomatic cables.
The Guardian, however, has denied the WikiLeaks allegations. "It's nonsense to suggest the Guardian's WikiLeaks book has compromised security in any way," according to a statement released by the paper.
"Our book about WikiLeaks was published last February," according to the statement. "It contained a password, but no details of the location of the files, and we were told it was a temporary password which would expire and be deleted in a matter of hours."
The password in question--ACollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay#--appears on page 148 of WikiLeaks: Inside Julian Assange's War On Secrecy written by David Leigh and Luke Harding, and published in February 2011.
Earlier this week, news reports cited rumors that WikiLeaks had lost control of a password-protected archive containing unredacted versions of all 251,287 cables in its possession. Rumors also suggested that the password was circulating separately, and available via the Internet. Some news reports cited WikiLeaks rival OpenLeaks, founded by WikiLeaks defector Daniel Domscheit-Berg, as the source of the tip-offs. A resident of Germany, he may be the "individual in Germany" mentioned by WikiLeaks as a target of its "pre-litigation action."
Over the past nine months, just a fraction of the 251,287 cables that WikiLeaks obtained had been released. But the availability via BitTorrent of the "cables.csv" file, containing all of the cables, as well as accessibility of the password, led WikiLeaks to last week to suddenly release 134,000 new cables. Those cables included the names of at least 100 diplomatic sources that had been marked for "special protection," meaning that the State Department didn't want the names to be disclosed publicly.
WikiLeaks said that it's known of the existence of the BitTorrent file, as well as the "passwords" for accessing it, for the past month, but avoided commenting on the matter, in an attempt to not draw attention to the passwords.
WikiLeaks blames the Guardian for causing it to rush its cable-release program. "Over time WikiLeaks has been building up, and publishing, the complete Cablegate 'library'--the most significant political document ever published," it said. "The mammoth task of reading and lightly redacting what amounts to 3,000 volumes or 284 million words of global political history is shared by WikiLeaks and its partners. That careful work has been compromised as a result of the recklessness of the Guardian."
These days, of course, data breaches--or in this case at least, loss of data control--are nothing new. Furthermore, numerous breaches can be traced to insiders who release, maliciously or inadvertently, sensitive information. Accordingly, was it reasonable for WikiLeaks to expect that it could maintain full control over a sensitive cache of all of the cables, many of which it's already shared with more than 90 media and human rights groups worldwide? Perhaps the group can consider itself lucky that it managed to control its publication schedule for as long as nine months.
The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)