Hackers attempt to break into UK MPs’ email accounts, as Houses of Parliament targeted by cyber attack

Houses of Parliament lock down IT systems.

Hackers attempt to break into UK MPs' email accounts

The Guardian reports that the British Houses of Parliament were targeted yesterday by hackers who attempted to break into email accounts of MPs and their staff.

The team responsible for securing the Houses of Parliament’s IT systems are said to have taken steps to block hackers from accessing accounts, but this apparently has blocked MPs from remotely accessing email inboxes.

The Guardian quoted an email which it claimed had been sent to affected users:

Earlier this morning, we discovered unusual activity and evidence of an attempted cyber-attack on our computer network. Closer investigation by our team confirmed that hackers were carrying out a sustained and determined attack on all parliamentary user accounts in an attempt to identify weak passwords.”

These attempts specifically were trying to gain access to our emails. We have been working closely with the National Cyber Security Centre to identify the method of the attack and have made changes to prevent the attackers gaining access, however our investigation continues.”

The attack comes just days after it was being reported that online criminals were offering for sale the passwords of government officials - seemingly gleaned from the massive LinkedIn data breach of 2012 - although it’s too early to say whether this attack is definitely linked.

Details of the cyber attack on the Houses of Parliament email systems are presently sketchy, but it would be bonkers if any MP or their staff was not following these sensible precautions:

  • Use a unique, hard-to-crack, complicated password to access your email account. Using an easy-to-guess password, or using the same password on different sites is a recipe for disaster.
  • Enable two-factor authentication (or two-step verification) to better defend their account, making it harder for a criminal to break in even if they did manage to determine your password. If it’s good enough for the cast of Game of Thrones it should be good enough for you.
  • Exercise caution over opening unsolicited email attachments, or entering login credentials without being certain that you were on a legitimate site.
  • Listen to our “Smashing Security” podcast about securing webmail (helpfully embedded below), where we describe numerous tips that can be used to better defend your email account from hackers.

Listen on Apple Podcasts | Google Podcasts | Other… | RSS

Update: On Sunday evening, the House of Commons press office issued an updated statement on the incident:

Parliament’s first priority has been to protect the parliamentary network and systems from the sustained and determined cyber attack to ensure that the business of the Houses can continue. This has been achieved and both Houses will meet as planned tomorrow.

Investigations are ongoing, but it has become clear that significantly fewer than 1% of the 9,000 accounts on the parliamentary network have been compromised as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service. As they are identified, the individuals whose accounts have been compromised have been contacted and investigations to determine whether any data has been lost are under way.

Parliament is now putting in place plans to resume its wider IT services.

1% of 9000 accounts? That feels to me a little like some positive spin is attempting to be put on some lousy security.

As well as reminding users that it is essential to have strong, hard-to-crack and unique passwords, it would also be sensible for the Houses of Parliament to enforce two-factor authentication when logging in remotely to access email accounts, and to put in place some rate-limiting to prevent attackers from trying to brute force their way into accounts.

Tags: , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

6 Responses

  1. Jim

    June 26, 2017 at 3:40 am #

    Someone trying to brute force passwords on a mail server doesn’t really seem that unusual to me. Happens every day on every mail server in the world as far as I know!
    Maybe they only just noticed it, which is far scarier. It means they weren’t monitoring it before …

  2. Martin

    June 26, 2017 at 10:19 am #

    What’s going on?

    Weak passwords - why are they not using complexity rules?
    Brute force attacks - why are they not using lockout policies?
    Passwords stolen from 2012 LinkedIn hack - Why are they not using password renewal policies and training people properly in password management?

    Based on this information and if true, seems like and epic fail for H of P IT management. I mean, it is not as if it is anything important they are protecting!!!

    Just errors in the very basics again.

  3. Mark Jacobs

    June 26, 2017 at 10:38 am #

    I run 2 email servers, and I can see hack attempts every day on the logs. However, the software I use (Mailtraq) is excellent and automatically sin-bins any IP address thrashing passwords at it repeatedly.

    • Simon in reply to Mark Jacobs.

      June 26, 2017 at 12:11 pm #

      Likewise, in my case Fail2ban bans the 2nd failed authentication attempt.

      Also, 2FA is in-place, install the latest patches, etc…

  4. SlipperyJim

    June 26, 2017 at 12:54 pm #

    I would have thought that they’d all have keyfobs generating one time codes for their access.

  5. Jim

    June 28, 2017 at 2:16 pm #

    …but it would be bonkers if any MP or their staff was not following these sensible precautions:”

    Hum, that’s expecting MP’s to be aware of course. I remember one MP stating that to prevent spam the sender should provide their postcode, that happened a few years ago but expecting a certain number of MP’s to be up to date with modern tech, seems wishful thinking.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.