Breach at UK.gov's Cyber Essentials scheme exposes users to phishing attacks
How does that rank on the Morissette Scale?
Updated The operation behind the UK government's Cyber Essentials scheme has suffered a breach exposing the email addresses of registered consultancies, it told them today.
The scheme's badges are required by suppliers bidding for "certain sensitive and personal information-handling [government] contracts".
Companies were notified of the problem, which leaves them at greater risk of phishing attack, through an email on Wednesday from Dr Emma Philpott, chief exec at the IASME Consortium, which runs the accreditation.
"We would like to make you aware that, due to a configuration error in the Pervade Software platform we use for Cyber Essentials assessments, the email address you used to apply for an assessment and your company name may have been released to a third party," the notice stated.
"We would like to make it clear that the security of the assessment platform has not been compromised. Your account, the answers you provided in the assessment and the report you received are secure. No information other than your email address and your company name was accessible to the third party."
Pervade Software supplies the tech behind the assessment platform used by the IASME Consortium and its certification bodies. IASME is an information assurance standard geared towards the needs of small and medium enterprises.
The breach notice goes on to explain that the problem arose because of a configuration error, which has since been resolved.
An unknown person accessed a list of email addresses in a log file generated by the Pervade assessment platform and your email address, company name and the IP address of the Certification Body was on that list. No other information was accessed. The other information on the assessment portal itself was not affected in any way and no-one has accessed the system, your account, the answers you provided or the report you received. This log file became accessible through a configuration error on the part of one of the Pervade systems engineers. Pervade have taken immediate steps to address the error and have resolved the issue.
Exposing hundreds of corporate email addresses is bad but it pales in comparison to breaches of payment information or weakly encrypted login credentials of millions of consumers. Nonetheless, security consultancies affected are – not unreasonably – unimpressed. Those behind the scheme should be setting an example for the rest of the industry so it's only fair to hold them to higher standards.
"We paid to be audited and registered with the UK Govt Cyber Essentials scheme, in order to be able to do business with govt organisations," one affected worker told El Reg. "Turns out that the info has been leaked, which I guess means that someone now has a list of companies that work with the govt."
Another said he was "kinda miffed" they have emailed users but neither company has mentioned it on their website.
El Reg was first alerted to problems with the IASME website by a security researcher last week. "Their web application logs and database AES key are published within the root of their backend application exposing the email addresses, names and IP addresses of users," he told us at the time.
A experienced cyber security expert who helped us in reviewing what the hacker said told us that the problem was down to configuration mistakes, adding that IASME ought to have done better. "This situation was not only preventable; it was actually made by the company through poor installation and configuration," he said.
We contacted Pervade Software about the issue last week and the firm promptly confirmed it was working on it. Pervade has evidently accepted our suggestion that it ought to contact individuals or entities whose information might have been exposed.
A representative of Pervade Software said that the researcher involved may have earned himself a bug bounty if he had approached the company directly. The researcher, for his part, cites reports describing Pervade's hack back technology as "we'll sell DDOS knives, it's up to you how you use them" before going on to describe them as a "snake-oil vendor". There's clearly no love lost on either side. Pervade Software describes information that accompanied the leak of the compromised info on the dark web as a "smear".
The breach notice goes on to suggest signed-up companies should be cautious of emails purporting to come from The IASME Consortium or another entity linked to the Cyber Essentials scheme lest they contain malware.
"Pervade Software have asked us to pass on their wholehearted apology for any inconvenience they may have caused you. Once again, let me assure you that the other information on the portal itself was not affected, and no-one has been able to gain unauthorised access to the system, your account, the answers you provided, or the report you received," the notice concludes.
The incident has been reported to both the Information Commissioner's Office and the National Crime Agency. ®
Updated to add: IASME is one of six accrediting bodies for the Cyber Essentials scheme run by NCSC. CREST, which is one of the others, contacted us to let us know its certifying bodies are not affected by this issue. You can find out more here.
Sponsored: Becoming a Pragmatic Security Leader