A data breach suffered by the government's Cyber Essentials scheme has exposed names and e-mail addresses of several registered consultancies.
The data breach may have rendered a number of registered consultancies vulnerable to phishing attacks by hackers.
The UK Government's 'Cyber Essentials' accreditation programme was set up to help companies strengthen their IT systems, implement the latest cyber security practices and effectively handle and protect customer data. To ensure more companies join the programme, the government has mandated that those without accreditation will not be able to bid for government contracts.
In 2015, the government announced a £500,000 addition to the Cyber Essentials scheme fund to educate university students on cyber security to address a workplace skills shortage. “We want to make the UK the safest place in the world to do business online and Cyber Essentials is a great and simple way firms can protect themselves,” said Digital economy minister Ed Vaizey.
On Wednesday, the Cyber Essentials Scheme itself suffered a major data breach that compromised names and e-mail addresses of a number of registered consultancies. A configuration error in the software used for Cyber Essentials assessments enabled a third party to access a list of email addresses generated by the platform. Pervade Software, who supplied the software for Cyber Essentials assessments, now claims that the issue has been resolved.
"We would like to make it clear that the security of the assessment platform has not been compromised. Your account, the answers you provided in the assessment and the report you received are secure. No information other than your email address and your company name was accessible to the third party," said Dr Emma Philpott, Chief Executive at IASME Consortium in an e-mail to the affected consultancies.
"An unknown person accessed a list of email addresses in a log file generated by the Pervade assessment platform and your email address, company name and the IP address of the Certification Body was on that list. No other information was accessed.
"The other information on the assessment portal itself was not affected in any way and no-one has accessed the system, your account, the answers you provided or the report you received. This log file became accessible through a configuration error on the part of one of the Pervade systems engineers. Pervade have taken immediate steps to address the error and have resolved the issue," said Pervade Software following the data breach.
The fact that the Cyber Essentials scheme itself is vulnerable to data breach doesn't speak very highly of existing detection mechanisms to counter potential cyber-attacks.
"The incident illustrates that even the most security savvy organisations can make errors that can leave them exposed," said Javvad Malik, security advocate at AlienVault.
"Therefore it is essential to have robust threat detection capabilities in place that can monitor and alert where unauthorised access is being attempted so that the appropriate response may be taken. Having ongoing detection in place across both the network and critical hosts allows enterprises to have the assurance that systems are working as intended under the control of authorised persons," he added.
A breach notice issued by Pervade Software and the IASME has warned affected consultancies to be cautious of e-mails which may seem to come from authorities engaged in the Cyber Essentials scheme. It is possible that hackers who got hold of the e-mail addresses may conduct phishing attacks in the near future.