Configuration Error Embarrasses UK’s Cyber Essentials

The UK government’s Cyber Essentials scheme has suffered an embarrassing incident; but one that can hardly be called a breach and certainly not a cyber-attack. A configuration error in the underlying software platform exposed the email addresses of consultancies registered with the scheme — nothing more.

Cyber Essentials is a UK government-backed certification scheme designed to encourage the adoption of good security practice. It includes five primary technical controls: boundary firewalls and internet gateways; secure configuration (ironically); access control; malware protection; and patch management. 

Certification is provided by one of a number of certifying bodies licensed by an accreditation body (currently APMG, CREST, IASME, IRM security and QG).

“Since October 2014 Cyber Essentials has been mandatory for suppliers of Government contracts which involve handling personal information and providing some ICT products and services,” explains the Cyber Essentials website. “Holding a Cyber Essentials badge enables you to bid for these contracts.”

It seems that the configuration error briefly exposed the email addresses of registered consultancies seeking certification to allow bidding for such government contracts. This error has been fixed by the provider concerned, Pervade Software.

An email notification sent to the ‘victims’ by Dr Emma Philpott, chief executive at the IASME Consortium (which runs the accreditation of the scheme), stated, “We would like to make you aware that, due to a configuration error in the Pervade Software platform we use for Cyber Essentials assessments, the email address you used to apply for an assessment and your company name may have been released to a third party.”

The NCA and Information Commissioner’s Office have, as standard practice, been notified; but the scheme doesn’t consider it worth a comment on its site. “We would like to make it clear that the security of the assessment platform has not been compromised,” continues the statement. “Your account, the answers you provided in the assessment and the report you received are secure. No information other than your email address and your company name was accessible to the third party.”

When email addresses are publicly exposed, the primary concern is over an increased likelihood of phishing attacks. This doesn’t appear to be a major problem with this incident. “In light of the recent breaches exposing billions of records containing extremely sensitive information, I would not call this particular incident a ‘breach’,” commented Ilia Kolochenko, CEO of High-Tech Bridge. “Indeed, it can facilitate phishing attacks against the companies whose emails addresses were exposed; however virtually all this data can be gathered from public sources, albeit over a much longer period of time. 

“Such incidents are quite hard to avoid unfortunately, moreover, due to lack of resources, many governmental websites have much more dangerous vulnerabilities that remain undetected for years. Practically speaking and due to the nature of the CES accreditation, all the companies from the list should have capabilities to detect and mitigate phishing attacks. Additional vigilance would certainly not harm, though.”

It is, in short, a storm in a teacup that is more of an embarrassment to a government security scheme than a danger to the exposed. Nevertheless, it serves to highlight the diligence needed to prevent configuration errors in third-party supplied software — it could have been much worse.