Privacy News

Journalists need encryption - and the Washington Post hack shows why

China hacked email accounts of important WP journalists. This shows why end-to-end encryption matters, particularly for free speech.

Quote by cryptography expert Bruce Schneier; Every time you use encryption, you're protecting someone who needs to use it to stay alive.

The recent cyberattack on the Washington Post, compromising the email accounts of journalists covering national security and economic policy, is a chilling reminder of how much privacy matters. And end-to-end encryption is the last line of defense that we have for protecting confidential information online - whether used by journalists, whistleblowers, dissidents, or by you and me - encryption can save lives and must be protected!

While full details are still emerging, the attack on Washington Post journalists reportedly targeted Microsoft email accounts belonging to journalists writing on sensitive topics, including China. This incident bears disturbing similarities to the 2022 hack of Wall Street Journal parent News Corp, where foreign actors - allegedly linked to Chinese state interests - sifted through emails, documents, and draft articles. The motives are clear: intelligence gathering, source exposure, and ultimately, information control.

And yet, the core vulnerability remains the same: unprotected communication channels. Despite rising awareness of surveillance threats, many newsrooms still rely on traditional email services that unlike Tuta Mail do not offer end-to-end encryption. The Washington Post attack is just the latest case proving how easily mailboxes can be breached and the data abused - if not protected properly.

Journalists are high-value targets

Journalists reporting on topics of (foreign) state interests like government policies, human rights, or geopolitical issues, have become prime targets for attacks, especially from China and Russia. And these attackers are very powerful, which anyone can understand when looking at the Salt Typhoon hack: an attack where Chinese hackers infiltrated the - outdated - telecommunications’ infrastructure of large US telco providers such as AT&T, Verizon and T-Mobile to intercept the communications of US officials.

In addition to politicians, journalists and their sources are often attacked by foreign spies. Journalists know a lot - often more than what they publish - and they manage a lot of this information in their mailboxes. Within their emails, potential attackers can find unpublished investigations, background information, and, of course, contact information of sources and whistleblowers so that the attackers can identify who is leaking important information. Consequently, journalists must protect their data even better than the “average Joe” because it is incredibly valuable to (foreign) attackers.

To this day, email remains a critical way of communication. Oftentimes, whistleblowers contact journalists via their publicly available email address to establish a communication channel. For this, an option for end-to-end encrypted email is highly recommended.

Turn ON Privacy in one click.

Why end-to-end encryption is essential

The Washington Post hack proves once again why end-to-end encryption is needed when communicating online. If journalists want to protect their sources, their whistleblowers, their stories, and their reputation, they must adopt email platforms that provide end-to-end encryption by default - not as an optional extra.

End-to-end encryption ensures that only the sender and recipient can read the content of a message. Not the email provider, not the government, and not any attacker who manages to gain access to the server. At Tuta, we believe this should be the norm, especially for professions like journalism where confidentiality often is a matter of life and death.

Zitat des Kryptographie-Experten Bruce Schneier: Jedes Mal, wenn Sie Verschlüsselung verwenden, schützen Sie jemanden, der sie zum Überleben braucht. Zitat des Kryptographie-Experten Bruce Schneier: Jedes Mal, wenn Sie Verschlüsselung verwenden, schützen Sie jemanden, der sie zum Überleben braucht. Quote by cryptography expert Bruce Schneier: Every time you use encryption, you are protecting someone who needs to use it to stay alive.

Relying on Big Tech? Better not

The Washington Post relies on Microsoft accounts, just like countless other organizations and most authorities around the world. Yet, this is not a good idea, particularly when you need to protect valuable information. For instance, Microsoft’s New Outlook shares a lot of data, even passwords, with its cloud, and due to privacy-infringements like these, German schools may no longer use MS365. But also if you use Microsoft on an Exchange server, your data is not secure. The scandals related to Microsoft being hacked go so far that even the US government told Microsoft to get its security right - before adding any new features.

So where does this leave you? If you are an investigative journalist handling critical information, you must take care of your digital security and offer a confidential communication channel to sources, activists, and whistleblowers.

Best practice tips for journalists

  1. Create an end-to-end encrypted email account and make your email address public. Then potential whistleblowers can create their own free email account with Tuta and contact you confidentially and securely.
  2. Choose an encrypted alternative to WhatsApp, for instance Signal.
  3. Use a password manager and two-factor authentication to make sure your login credentials can not get hacked.

Journalism needs privacy

The media is one of the last remaining safeguards we have that defend us against authoritarianism, corruption, and abuse of power. To do that, journalists need more than courage, they need tools that actually protect them. It’s time for a privacy-first overhaul of newsroom communications, from encrypted emails to encrypted chat and best login protections.

The Washington Post attack is a warning that needs to be taken seriously.

Journalists must act now. Because if their communications aren’t protected, neither are their sources.

Illustration of a phone with Tuta logo on its screen, next to the phone is an enlarged shield with a check mark in it symbolizing the high level of security due to Tuta's encryption.