Ouch! UK Govt's Cyber Essentials scheme suffers data breach due to configuration error

Emails exposed, which means phishing attacks could follow…

Ouch! UK Govt's Cyber Essentials scheme suffers data breach due to configuration error

The UK Government's Cyber Essentials digital security scheme has suffered a data breach caused by a configuration error in a software platform.

On 21 June, companies received word of the incident from Dr. Emma Philpott, chief executive at the Information Assurance for Small and Medium Enterprises (IASME) Consortium. One of the scheme's Accreditation Bodies, IASME has incorporated Cyber Essentials into its information assurance standard. Suppliers wanting to secure contracts for work involving government data must therefore work with a Certification Body licensed by IASME or another Accreditation Body to achieve Cyber Essentials accreditation.

In her email to companies, Philpott explains the breach traces back to a configuration error involving its deployment of a platform developed by Pervade Software and used for Cyber Essentials assessments. As quoted by The Register:

"An unknown person accessed a list of email addresses in a log file generated by the Pervade assessment platform and your email address, company name and the IP address of the Certification Body was on that list. No other information was accessed. The other information on the assessment portal itself was not affected in any way and no-one has accessed the system, your account, the answers you provided or the report you received. This log file became accessible through a configuration error on the part of one of the Pervade systems engineers. Pervade have taken immediate steps to address the error and have resolved the issue."

It's a good thing the breach didn't affect other suppliers' financial information. (Other breaches involving UK companies haven't been as lucky.)

UK GovernmentBut Cyber Essentials stands for better digital security practices. A breach involving this scheme is ironic, to say the least... if not downright infuriating. One affected employee vocalized this latter sentiment to The Register:

"We paid to be audited and registered with the UK Govt Cyber Essentials scheme, in order to be able to do business with govt organisations. Turns out that the info has been leaked, which I guess means that someone now has a list of companies that work with the govt."

With that information, attackers can conduct phishing campaigns and other attacks against affected companies, possibly with the lure of non-existent government contracts.

Currently, Pervade and IASME are working to fix the error. Let's hope they follow up these efforts with an explanation of what happened and what they're doing to prevent it from happening again.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

6 Responses

  1. Malcolm

    June 23, 2017 at 10:29 am #

    It's only the email addresses that are important here, as the list of accredited companies is published by IASME anyway at https://www.iasme.co.uk/certified-organisations/

    The same is true of other Accreditation Bodies:
    CREST publishes their list at http://www.cyberessentials.org/list/, and
    QG at http://www.qgstandards.co.uk/cyber-essentials-accredited-companies/
    Interestingly APMG does not appear to publish a list.

    • Ben in reply to Malcolm.

      June 27, 2017 at 4:16 pm #

      Hi

      APMG's list can be found here → https://ces.apmg-certified.com/Organisations.aspx

  2. Etaoin Shrdlu

    June 23, 2017 at 10:34 am #

    Always pay close attention to government instructions, then do the opposite.

  3. Roger Leyland

    June 23, 2017 at 10:59 am #

    This is the government that thinks back doors to encrypted services can be kept safe…

  4. AJC

    June 23, 2017 at 2:12 pm #

    El Reg was first alerted to problems with the IASME website by a security researcher last week. "Their web application logs and database AES key are published within the root of their backend application exposing the email addresses, names and IP addresses of users," he told us at the time.

  5. AJC

    June 23, 2017 at 2:15 pm #

    Presumably Pervade Software has been added to the unaccredited list?

Leave a Reply