A brute force cyber attack conducted by unnamed hackers on the Scottish Parliament's IT systems and email accounts appears to have failed.
Multiple login attempts by hackers have locked out email accounts belonging to several Scottish MPs but Holyrood's IT systems have not been affected.
The cyber-attack on the Scottish Parliament is similar to the one carried out on the UK Parliament in June that enabled hackers to infiltrate as many as 90 email accounts belonging to MPs including Prime Minister Theresa May as well as several of her cabinet colleagues.
Cyber-attack on parliament sponsored by Russian government, security agencies believe
A parliamentary spokesman had then confirmed that the breached email accounts contained weak passwords that did not conform to guidance issued by the Parliamentary Digital Service. Both cyber-attacks were concentrated on exploiting weak passwords associated with email accounts of British and Scottish parliamentarians.
“The parliament’s monitoring systems have identified that we are currently the subject of a brute force cyber-attack from external sources. This attack appears to be targeting parliamentary IT accounts in a similar way to that which affected the Westminster parliament in June. Symptoms of the attack include account lockouts or failed log-ins," said Sir Paul Grice, chief executive of the Scottish Parliament.
“The parliament’s robust cybersecurity measures identified this attack at an early stage and the additional security measures which we have in readiness for such situations have already been invoked. Our IT systems remain fully operational," he added.
Russian hackers trading email addresses and passwords of British MPs
Parliamentarians, other staff, and MSPs have been urged to change their passwords and use stronger combinations of alphabets, numbers and special characters to avoid getting hacked.
Even though none of the email accounts of Scottish parliamentarians were breached, a survey conducted by the Parliament's IT staff confirmed the presence of multiple accounts with simple passwords that can be breached using available software.
'The continued increase in the number of large-scale cyber-attacks impacting businesses and public bodies highlights just how vulnerable we remain to data breaches meaning organisations cannot continue to treat cyber security as a box-ticking exercise and risk falling foul to these harmful attacks,' says Jon Geater, CTO at Thales e-Security.
World Password Day and why Password123 is not a good idea
Geater adds that businesses and public bodies must implement watertight data security and encryption strategies to ensure data privacy. Even if hackers aren't able to access what they are looking for, cyber attacks can still lock out users and cause havoc in organisations' functioning.
Rich Campagna, CEO at security firm Bitglass, believes that while strong passwords with multiple combinations can defeat brute force attacks, they are hard to remember, forcing people to keep simpler passwords like 123456.
'Rather than advising users to create random strings of letters and words passwords, we should be recommending the use of passphrases. These will still be lengthy, but made up of real words, so easier to remember. It might seem simple, but the truth is, if a password takes too long to crack, hackers will simply move onto the next batch,' Campagna adds.