Major vulnerabilities were exposed in a messaging application used by government officials and agencies, after a hacker breached its database and stole customer data, 404 Media reported Sunday. The recent Signal scandal was caused by human error, but this hack showed a more severe, systematic deficiency in the government’s communications systems themselves.

The hack involved an application called TeleMessage, owned by a Portland, Oregon-based company named Smarsh. The app offers modified versions of messaging platforms such as Signal, WhatsApp, Telegram, and WeChat. The application gained publicity after a news photograph in the midst of the Signal scandal showed the app open on former National Security Advisor Mike Waltz’s phone, with apparent recent messages with Secretary of State Marco Rubio, Director of National Intelligence Tulsi Gabbard, and Vice President J.D. Vance.

The obvious benefit of the app to government users is that it provides an easy way to archive the messages, which is required by federal records retention laws. The obvious downside — at least, after this hack — is that the archived messages may be easier to hack than the point-to-point encryption offered by secure commercial messaging apps.

The hacker collected data on both federal and local government agencies, as well as financial institutions, according to screenshots reviewed by 404 Media. The information related to Customs and Border Protection (CBP), the intelligence branch of the Washington, D.C. Metropolitan Police, cryptocurrency platform Coinbase, and Scotiabank.

The data included “apparent message contents; the names and contact information for government officials; usernames and passwords for TeleMessage’s backend panel; and indications of what agencies and companies might be TeleMessage customers,” listed 404 Media.

Fortunately, the hacker did not apparently obtain any messages among members of President Trump’s Cabinet, or from Waltz. But that does not make the data breach any less concerning.

Even more concerning is the ease with which the cyber attack was orchestrated. “I would say the whole process took about 15-20 minutes,” the hacker told 404 Media, which does not know his or her identity. “It wasn’t much effort at all.” The hacker stole the data from an Amazon cloud server based in Northern Virginia.

After the hack was reported, TeleMessage temporarily suspended service on Monday.

The suspension makes sense. TeleMessage cannot offer a secure service until it finds a way to resolve the vulnerabilities. However, the fact that a suspension is necessary suggests that TeleMessage is unable to resolve the vulnerability quickly. The fact that it only announced the suspension after the data breach was publicly reported suggests that it may not even have known about the data breach in advance.

These disturbing reflections illustrate the U.S. federal government’s major vulnerabilities in cyberspace. Such data breaches, if exploited by the wrong party at the wrong time, can foil military operations, turn officials into de facto foreign agents, and put American lives at risk.

When a single official fat-fingers a journalist into a high-level chat group, that makes headlines. But when the government’s communication system can be compromised in 20 minutes or less, that is the real five-alarm fire.

This hack is the equivalent of an unlocked door that isn’t even on the guard’s patrol route. It’s an unacceptable oversight.

It’s one thing to talk about “building cybersecurity capabilities” or “countering cyber-espionage.” Such boilerplate verbiage may convince Congress to fork over millions, but there’s a difference between trendy jargon and building a system that works. America needs the latter. Federal cybersecurity offices should be constantly checking for vulnerabilities, holding red-team exercises, and trying to stay ahead of our very aggressive adversaries abroad.

The silver lining of this account is that at least this vulnerability was exposed now, in this way. America faces no pressing crises. America is not in a hot war with China. And the hacker involved may not have even been associated with our foreign adversaries. In other words, the consequences of this breach may be less severe than they could have been. But now the government needs to plug the hole.