The UK Government's Cyber Essentials digital security scheme has suffered a data breach caused by a configuration error in a software platform.
On 21 June, companies received word of the incident from Dr. Emma Philpott, chief executive at the Information Assurance for Small and Medium Enterprises (IASME) Consortium. One of the scheme's Accreditation Bodies, IASME has incorporated Cyber Essentials into its information assurance standard. Suppliers wanting to secure contracts for work involving government data must therefore work with a Certification Body licensed by IASME or another Accreditation Body to achieve Cyber Essentials accreditation.
In her email to companies, Philpott explains the breach traces back to a configuration error involving its deployment of a platform developed by Pervade Software and used for Cyber Essentials assessments. As quoted by The Register:
"An unknown person accessed a list of email addresses in a log file generated by the Pervade assessment platform and your email address, company name and the IP address of the Certification Body was on that list. No other information was accessed. The other information on the assessment portal itself was not affected in any way and no-one has accessed the system, your account, the answers you provided or the report you received. This log file became accessible through a configuration error on the part of one of the Pervade systems engineers. Pervade have taken immediate steps to address the error and have resolved the issue."
It's a good thing the breach didn't affect other suppliers' financial information. (Other breaches involving UK companies haven't been as lucky.)
But Cyber Essentials stands for better digital security practices. A breach involving this scheme is ironic, to say the least... if not downright infuriating. One affected employee vocalized this latter sentiment to The Register:
"We paid to be audited and registered with the UK Govt Cyber Essentials scheme, in order to be able to do business with govt organisations. Turns out that the info has been leaked, which I guess means that someone now has a list of companies that work with the govt."
With that information, attackers can conduct phishing campaigns and other attacks against affected companies, possibly with the lure of non-existent government contracts.
Currently, Pervade and IASME are working to fix the error. Let's hope they follow up these efforts with an explanation of what happened and what they're doing to prevent it from happening again.