US Spy Chief Can't Even Secure a Gmail Account: The Bloody Disgraceful Password Habits That Should Terrify Every Business Owner

Written By Noel Bradford

In my four decades in this business, I've seen some spectacular cybersecurity flops, but this one takes the fucking biscuit.

Tulsi Gabbard, the woman Donald Trump put in charge of America's entire intelligence apparatus, spent years using the same easily cracked password across Gmail, Dropbox, LinkedIn, and God knows what else. The same password. For years. The Director of National Intelligence, who oversees the CIA, NSA, and 16 other spy agencies with a combined budget of $100 billion, couldn't manage the most basic cybersecurity practice we teach to schoolchildren.

Shall we let that sink in for a moment?

When the Spy Chief Fails Password 101

The woman responsible for protecting America's most sensitive secrets treated password security like a child's game. According to WIRED's investigation, Gabbard used a password containing the word "shraddha" across multiple personal accounts from 2012 to 2019. The same bloody password appeared in data breach after data breach, exposed and indexed by security researchers like a neon sign advertising "hack me please."

This isn't some historical footnote from her congressional days. This happened while she served on committees with access to classified information, while she was privy to national security briefings that could reshape global politics. And she protected it all with the digital equivalent of a cardboard lock.

Her spokesperson's defence? "These data breaches happened nearly a decade ago, and the passwords have changed countless times since." Oh, brilliant. That's like saying, "yes, I left my front door wide open for years, but I've locked it now." The damage was already done, you muppets.

The Cybersecurity Hypocrisy That Should Infuriate You

Here's what should make every business owner's blood boil: while Gabbard was playing fast and loose with basic security, her own government was issuing guidelines that she completely ignored.

CISA, the government's cybersecurity agency, recommends passwords of at least 16 characters and uniqueness for every account. They've been shouting this from the rooftops for years: Use a password manager, enable multi-factor authentication, and don't reuse passwords. It's basic bloody hygiene.

Yet the person now overseeing the very agencies that issue these recommendations couldn't be arsed to follow them herself. It's like having a fire chief who smokes in bed while soaked in petrol.

The statistics tell a horrifying story of password negligence across the board. According to recent research, 81% of confirmed data breaches are caused by weak, reused, or stolen passwords. Microsoft found that 44 million of their users were reusing passwords. One study revealed that over 100,000 people still use Gabbard's exact password variations today.

Your Business: The Real Target

"But Noel," I hear you saying, "this is government incompetence. What's it got to do with my business?"

Everything, you naive fool.

If the head of American intelligence can't manage password security, what makes you think your employees can? While you're worried about sophisticated nation-state actors and advanced persistent threats, your biggest vulnerability is probably Sandra from accounts using "password123" for everything from petty cash access to your financial systems.

Small businesses are getting absolutely hammered because of password failures. Three-quarters of US small business owners reported cyberattacks in 2022, and 30% of all data breaches are caused by weak passwords. The average cost of a data breach is now $4.88 million, up 10% from last year.

Your customers' credit card details, your proprietary business data, your employees' personal information: all of it sitting behind passwords that wouldn't challenge a determined toddler with a laptop.

The Supply Chain Wake-Up Call

Here's the truly terrifying part: your business isn't just a target, it's a gateway. Cybercriminals know that small businesses often have weaker security than large corporations, but they frequently have access to bigger fish through supply chain relationships.

Remember when I wrote about the dental practice that became a data breach nightmare? That wasn't just about one dentist losing patient records. It was about how weak security in small businesses cascades up the chain, affecting everyone they touch.

Gabbard's password failures aren't just a personal security lapse. They're a national security vulnerability that could have compromised intelligence operations, put assets at risk, and exposed state secrets to foreign adversaries. The same principle applies to your business: your weak password isn't just your problem.

The MSP Accountability Crisis

This brings me to a point I've been hammering for years: where the hell are the managed service providers in all this?

If you're paying an MSP to handle your IT security, password policies should be non-negotiable. Any MSP worth their salt should have implemented enterprise password managers, enforced multi-factor authentication, and regular security training years ago.

Yet I still walk into businesses in 2025 where the MSP's idea of password security is a laminated card with "Spring2025!" written on it, stuck to the monitor with blu-tack. That's not IT support, that's IT malpractice.

Your MSP should be held accountable for basic security hygiene. If they're not enforcing strong password policies, monitoring for compromised credentials, and providing regular security training, then fire them. Find someone who understands that cybersecurity isn't optional in 2025.

What You Need to Do Right Bloody Now

Stop reading and start acting. Here's your immediate action plan:

1. Audit every password in your business today. Not next week. Today. If you find any shared passwords, repeated passwords, or anything that looks like it came from a decade-old security poster, change it immediately.

2. Implement a business-grade password manager. Not the free version of LastPass. Not a spreadsheet. A proper enterprise solution like 1Password Business or Bitwarden Business. Budget £3-5 per user per month and stop being tight-fisted about the security of your livelihood.

3. Enable multi-factor authentication everywhere. Email, banking, business applications, even your bloody printer if it supports it. Yes, it's inconvenient. So is explaining to your customers why their personal data is being sold on the dark web.

4. Train your staff properly. Not a five-minute lecture about not clicking suspicious links. Proper, regular cybersecurity training that covers password security, phishing recognition, and incident reporting. Make it mandatory. Make it frequent.

5. Hold your technology providers accountable. If your MSP, software vendors, or cloud providers can't demonstrate proper security practices, find alternatives. You wouldn't hire a builder who couldn't use a spirit level, so why tolerate IT providers who can't secure a password?

The Bottom Line

Tulsi Gabbard's password failures are a mirror reflecting the sorry state of cybersecurity across America and beyond. When the person responsible for protecting the nation's most sensitive information can't manage basic password hygiene, it's a damning indictment of how seriously we take cybersecurity at every level.

Your business cannot afford to make the same mistakes. The criminals are getting more sophisticated, the stakes are getting higher, and the costs of failure are spiralling out of control. Password security isn't a nice-to-have anymore; it's survival.

If the Director of National Intelligence can cock up something this basic, imagine what damage a dedicated cybercriminal could do to your unprotected business systems. Don't let your company become the next cautionary tale.

The question isn't whether you can afford to implement proper password security. It's whether you can afford not to.

Fix your passwords. Train your people. Fire any MSP who thinks password security is optional. And for the love of all that's holy, stop treating cybersecurity like it's someone else's problem.

Because if there's one thing Gabbard's embarrassment should teach us, it's that security failures at any level can have catastrophic consequences. Don't let your business be next.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

Your Fancy New Printer Just Joined a Botnet: How Procolored Shipped Malware for Six Months
Next

Your Cloud Migration Just Handed Hackers the Keys to Everything You Own