A cyber attack on Westminster has compromised up to 90 parliamentary email accounts officials have confirmed.
The incident which took place over the weekend saw hackers launch a sustained and determined attempt to access MPs email accounts by searching for weak passwords.
Parliamentary officials were forced to lock MPs out of their email accounts to reduce any potential damage from the attack.
The National Cyber Security Centre (NCSC) and National Crime Agency have been working with the House of Commons to investigate the attack which is thought to have affected up to 90 accounts out of the 9,000 users. No information has been released regarding whose accounts may have been compromised.
Cyber security professionals have spoken out giving their thoughts and reactions to the news.
Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, believes condutcting frequent tests and simulations would better prepare organisations for breach’s in the future. “The UK National Cyber Security Centre are quantifying the extent of the breach at this stage and taking precautionary measures to limit any further impact to parliament computer systems. This should serve as a red light to all organisations, it’s not a matter of ‘if’ but ‘when’ a breach may happen. It isn’t good enough to prepare for this type of event on paper, instead an organisation should prepare by regularly simulating incidents in order to put their response procedures into practice,” she said.
This view was echoed by Spencer Young, RVP EMEA at Imperva, who felt that with inadequate password protection in place, an attack like this was inevitable. “While we aren’t sure exactly what caused the issue, it appears there are concerns that Members of Parliament’s email credentials and passwords have been compromised.
Passwords continue to be an Achilles Heel in the fight against cybercrime as improper user behaviour – such as weak passwords or use of the same password across different sites continues,” he said.
“What’s disturbing, aside from the doubtless potential for high levels of confidentiality within emails emanating from the House, is that there are simple, effective methods such as two-factor authentication, and TLS Client Authentication which have been shown to be extremely secure, yet usability issues have hampered adoption. This is an outcome of a continual lack of understanding and investment from Government in security strategies that enterprise Britain adopts as standard operating procedures. This attack was unfortunately always a matter of time.”
Ravi Pather, senior vice president of eperi GmbH believes enterprises need to implement multiple levels of IT and Data security to deter future attacks, saying “we have to assume that hackers will be successful – if not today, then tomorrow or the next day. The real question therefore is: are these Houses of Parliament systems – including email applications – protecting sensitive data from within? After all, this is what hackers are after.”
“A “sustained and determined” cyber-attack by hackers means that hackers have some access to usernames and passwords credentials and will use these to attempt to access IT systems and emails – a bit like hackers trying to break into your front door and are trying to pick your front door locks. It’s been separately reported that UK MP’s user credentials were on sale in Russian criminal websites, suggesting this may have been previously obtained.
“IT security of yesteryear was focused on implementing security systems such as ‘two factor authentication’ and ‘access and identity management’ systems to prevent this type of attack – akin to making sure the locks and front door had good security systems and preventing entry.
“In a modern IT architecture, companies need multiple levels of both IT security as well as data security. They have to assume that not only can attackers come through the front door, they can also access data via other points of entry.
“In other words, what if the attackers do gain entry via breaking in via user passwords? Will they have easy open access to the data in email and other systems that contain sensitive data such as HR, expenses, accounts, sensitive parliamentary data?
“The focus therefore becomes more about where the email systems are storing this data. Is it an on-premise email or a cloud based mail system where this email maybe stored on a cloud based service? Is this data encrypted throughout its entire lifecycle?
“Furthermore, let’s not believe mere ‘data at rest’ encryption systems are enough. Though it’s a start, we have to protect this sensitive data through its entire life cycle. ‘Data in motion’, ‘data in use’ and ‘data at rest’.“
We just hope that the Houses of Parliament have this next level of more advanced data protection systems installed as well. If not, then there may be a very serious issue of gaining access to email and other systems that use and store sensitive data.