Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Configuration Error Embarrasses UK’s Cyber Essentials

The UK government’s Cyber Essentials scheme has suffered an embarrassing incident; but one that can hardly be called a breach and certainly not a cyber-attack. A configuration error in the underlying software platform exposed the email addresses of consultancies registered with the scheme — nothing more.

The UK government’s Cyber Essentials scheme has suffered an embarrassing incident; but one that can hardly be called a breach and certainly not a cyber-attack. A configuration error in the underlying software platform exposed the email addresses of consultancies registered with the scheme — nothing more.

Cyber Essentials is a UK government-backed certification scheme designed to encourage the adoption of good security practice. It includes five primary technical controls: boundary firewalls and internet gateways; secure configuration (ironically); access control; malware protection; and patch management. 

Certification is provided by one of a number of certifying bodies licensed by an accreditation body (currently APMG, CREST, IASME, IRM security and QG).

“Since October 2014 Cyber Essentials has been mandatory for suppliers of Government contracts which involve handling personal information and providing some ICT products and services,” explains the Cyber Essentials website. “Holding a Cyber Essentials badge enables you to bid for these contracts.”

It seems that the configuration error briefly exposed the email addresses of registered consultancies seeking certification to allow bidding for such government contracts. This error has been fixed by the provider concerned, Pervade Software.

An email notification sent to the ‘victims’ by Dr Emma Philpott, chief executive at the IASME Consortium (which runs the accreditation of the scheme), stated, “We would like to make you aware that, due to a configuration error in the Pervade Software platform we use for Cyber Essentials assessments, the email address you used to apply for an assessment and your company name may have been released to a third party.”

The NCA and Information Commissioner’s Office have, as standard practice, been notified; but the scheme doesn’t consider it worth a comment on its site. “We would like to make it clear that the security of the assessment platform has not been compromised,” continues the statement. “Your account, the answers you provided in the assessment and the report you received are secure. No information other than your email address and your company name was accessible to the third party.”

When email addresses are publicly exposed, the primary concern is over an increased likelihood of phishing attacks. This doesn’t appear to be a major problem with this incident. “In light of the recent breaches exposing billions of records containing extremely sensitive information, I would not call this particular incident a ‘breach’,” commented Ilia Kolochenko, CEO of High-Tech Bridge. “Indeed, it can facilitate phishing attacks against the companies whose emails addresses were exposed; however virtually all this data can be gathered from public sources, albeit over a much longer period of time. 

“Such incidents are quite hard to avoid unfortunately, moreover, due to lack of resources, many governmental websites have much more dangerous vulnerabilities that remain undetected for years. Practically speaking and due to the nature of the CES accreditation, all the companies from the list should have capabilities to detect and mitigate phishing attacks. Additional vigilance would certainly not harm, though.”

It is, in short, a storm in a teacup that is more of an embarrassment to a government security scheme than a danger to the exposed. Nevertheless, it serves to highlight the diligence needed to prevent configuration errors in third-party supplied software — it could have been much worse.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.