Signal App Mistake? How Federal Contractors Should Handle Unauthorized Government Data

Written By Joshua Lawton

In the wake of a high-profile Signal leak involving U.S. military war plans, federal contractors and business owners are asking a pressing question:

“What should I do if I’m accidentally added to a Signal chat—or receive encrypted messages—containing government information I’m not authorized to access?”

This isn’t a hypothetical. In a March 2025 incident, senior Trump administration officials accidentally included a journalist in a Signal group chat discussing classified war plans for Yemen. While that incident involved top officials, contractors can find themselves in similar situations, especially when working closely with government teams using encrypted apps for speed and convenience.

Here’s what you need to know—and what you should do—if this happens to you.

First: Stop. Don’t Read Further.

If you’re added to a chat, group, or thread containing government information you’re not authorized to access—whether it’s classified details, PII, or sensitive procurement data—do not keep reading or engage further.

Accessing, saving, or sharing the content could escalate your liability.

Why This Matters: Legal Risks and Compliance

Depending on the type of information shared, several federal laws and regulations kick in:

Encrypted messaging apps like Signal, Telegram, or WhatsApp may be convenient, but they lack the layered access controls and audit trails required for government information—especially if message auto-deletion is turned on.

Step-by-Step: What You Should Do Immediately

1. Do Not Engage Further

  • Do not comment, respond, forward, screenshot, or download anything.

  • Avoid clicking links or opening attachments.

2. Secure the Information

  • If possible, isolate the chat or message. Don’t allow others on your team to access it.

  • Turn off auto-syncing to cloud services or shared systems.

3. Notify the Government—Quickly

  • If the content appears classified: Immediately notify your Facility Security Officer (FSO) if you have one. They will escalate through the proper security channels.

  • If it includes PII or FCI: Contact the Contracting Officer (CO) listed on your contract. FAR 52.204-21 requires notification of cybersecurity incidents affecting systems with FCI within 72 hours.

  • If you’re unsure: Notify your Contracting Officer or Agency Point of Contact anyway. It’s better to overreport than underreport in these situations.

4. Document Your Actions

  • Keep a record (timestamped) of what you did and when: when you received the message, when you stopped reading, and when you reported the issue.

  • Do not keep a copy of the sensitive content unless explicitly instructed to by the government.

5. Follow Government Instructions

  • The agency may instruct you to delete, return, or otherwise dispose of the information securely.

  • Do not delete or forward anything until you receive guidance.

Common Scenarios That Still Require Action

Even if you think it’s a small issue—like being added to a group chat with non-sensitive language or receiving a misdirected attachment—you’re still responsible for proper handling.

Examples:

  • A government staffer accidentally sends PII about another contractor.

  • A procurement official includes you in a group Signal chat discussing pending awards.

  • You’re added to a chat discussing foreign operations, and you’re a domestic-only subcontractor.

These are all reportable events.

Protecting Your Business and Your Contract

Failure to report—even if unintentional—can:

  • Trigger audits or contract termination

  • Lead to suspension or debarment from future federal work

  • Jeopardize your CMMC or FISMA compliance standing

  • Cause reputational damage, especially if media or IG investigations follow

Being proactive protects your company and shows your commitment to federal compliance, cybersecurity, and ethics.


Moving Forward: Best Practices for Contractors

  • Train Your Team: Ensure your staff knows what to do when they receive unauthorized info.

  • Restrict App Use: Consider internal policies limiting Signal, Telegram, or WhatsApp use for government business unless approved.

  • Audit Device Policies: If you use personal or BYOD devices for federal work, tighten security settings and logging.

  • Build Incident Response SOPs: Add unauthorized information receipt scenarios into your cybersecurity response plan.

Final Thought: When in Doubt, Report It

You don’t need to know if the information is officially classified to report it. If it looks like government business and you shouldn’t have it—say something.

The U.S. government expects its contractors to act with discretion, discipline, and integrity.

Even if the breach wasn’t your fault, your response still counts.


If you aren't a Squared Compass partner, what are you waiting for? From getting your business set up with specific government set aside programs at both the State and Federal level, to being empowered by a Fractional Capture team to win government contracts, to receiving tailored government contract opportunities Squared Compass delivers immense value which helps propel our partners to success. Schedule a chat with our team today.

Joshua Lawton www.joshualawton-belous.com
Previous

Key Changes in GSA MAS Refresh 25: What Contractors Need to Know
Next

Get to Know DoD’s Software Acquisition Pathway