UK gov's Cyber Essentials scheme suffers security breach

Technology > Security

Someone sound the irony alarms

UK gov's Cyber Essentials scheme suffers by security breach

UK gov's Cyber Essentials scheme suffers by security breach

THE UK GOVERNMENT'S Cyber Essentials security scheme has been whacked by a security breach that has exposed the email addresses of consultancies bidding for sensitive contracts.

While the details exposed as a result of the attack are only email addresses, it could put organisations at greater risk of phishing and spear-phishing attacks.

Details of the attack were only exposed when warning emails were leaked to The Register.

"We would like to make you aware that, due to a configuration error in the Pervade Software platform we use for Cyber Essentials assessments, the email address you used to apply for an assessment and your company name may have been released to a third party," the notice stated.

"We would like to make it clear that the security of the assessment platform has not been compromised. Your account, the answers you provided in the assessment and the report you received are secure. No information other than your email address and your company name was accessible to the third party."

The organization attributes the breach to a misconfiguration of one of its platforms, which enabled "an unknown person" to access the list of email addresses in a log file generated by the platform. It claims only company names, email addresses, and IP addresses were exposed as a result.

Commenting, Ilia Kolochenko, CEO of web security company High-Tech Bridge played down the seriousness of the breach. 

"In light of the recent breaches exposing billions of records containing extremely sensitive information, I would not call this particular incident a ‘breach'. Indeed, it can facilitate phishing attacks against the companies whose emails addresses were exposed, however, virtually all this data can be gathered from public sources...

"The government's reaction is quite professional. However, additional technical details, such as date/time of the breach and preliminary results of the investigation would be helpful. Such incidents are quite hard to avoid unfortunately, moreover, due to lack of resources, many governmental websites have much more dangerous vulnerabilities that remain undetected for years," said Kolochenko. 

"Practically speaking and due to the nature of the CES accreditation, all the companies from the list should have capabilities to detect and mitigate phishing attacks. Additional vigilance would certainly not harm though."

Image by: bykst // pixabay