Breach at UK.gov’s Cyber Essentials scheme exposes users to phishing attacks


The operation behind the UK government’s Cyber Essentials scheme has suffered a breach exposing the email addresses of registered consultancies, it told them today.

The scheme’s badges are required by all suppliers bidding for “certain sensitive and personal information-handling [government] contracts”.

Companies were notified of the problem, which leaves them at greater risk of phishing attack, through an email on Wednesday from Dr Emma Philpott, chief exec at the IASME Consortium, which runs the accreditation.

“We would like to make you aware that, due to a configuration error in the Pervade Software platform we use for Cyber Essentials assessments, the email address you used to apply for an assessment and your company name may have been released to a third party,” the notice stated.

“We would like to make it clear that the security of the assessment platform has not been compromised. Your account, the answers you provided in the assessment and the report you received are secure. No information other than your email address and your company name was accessible to the third party.”

Pervade Software supplies the tech behind the assessment platform used by the IASME Consortium and its certification bodies. IASME is an information assurance standard geared towards the needs of small and medium enterprises.

The breach notice goes on to explain that the problem arose because of a configuration error, which has since been resolved.

“An unknown person accessed a list of email addresses in a log file generated by the Pervade assessment platform and your email address, company name and the IP address of the Certification Body was on that list. No other information was accessed. The other information on the assessment portal itself was not affected in any way and no-one has accessed the system, your account, the answers you provided or the report you received. This log file became accessible through a configuration error on the part of one of the Pervade systems engineers. Pervade have taken immediate steps to address the error and have resolved the issue.”

Exposing hundreds of corporate email addresses is bad but it pales in comparison to breaches of payment information or weakly encrypted login credentials of millions of consumers. Nonetheless, security consultancies affected are – not unreasonably – unimpressed. Those behind the scheme should be setting an example for the rest of the industry so it’s only fair to hold them to higher standards.

Read more…

Source: The Register