An article on leading global online tech publication The Register suggests that the consortium supporting the UK government’s own Cyber Essentials scheme has suffered a breach – the incident has been reported to both the Information Commissioner's Office and the National Crime Agency.
Launched by the UK Government in June 2014, the Cyber Essentials scheme is a cyber security standard that organisations can be assessed and certified against.
All suppliers bidding for government contracts which involve handling of sensitive and personal information and provision of certain technical products and services must be compliant with the new Cyber Essentials controls.
The article says that the email addresses of consultancies registered with the IASME Consortium, one of six accrediting bodies for the Cyber Essentials scheme, together with the addresses used to apply for an assessment and company names may have been released to a third party.
According to The Register, Dr Emma Philpott chief executive at the Consortium sent a notice to companies yesterday via email which stated:
"We would like to make you aware that, due to a configuration error in the Pervade Software platform we use for Cyber Essentials assessments, the email address you used to apply for an assessment and your company name may have been released to a third party.
"We would like to make it clear that the security of the assessment platform has not been compromised. Your account, the answers you provided in the assessment and the report you received are secure. No information other than your email address and your company name was accessible to the third party."
The Pervade Software assessment platform is used by the Consortium and its certification bodies.
The notice continues:
“An unknown person accessed a list of email addresses in a log file generated by the Pervade assessment platform and your email address, company name and the IP address of the Certification Body was on that list. No other information was accessed. The other information on the assessment portal itself was not affected in any way and no-one has accessed the system, your account, the answers you provided or the report you received. This log file became accessible through a configuration error on the part of one of the Pervade systems engineers. Pervade have taken immediate steps to address the error and have resolved the issue.”
The companies have been warned to be cautious of phishing emails which could potentially contain malware which purport to come from entities linked to the Cyber Essentials scheme, including the IASME Consortium.
Currently neither the Consortium nor the Pervade websites appear to have published any public statements about the breach.
“Prime example of how all organizations need to focus on fundamentals - people, process & technology”
According to Paul Edon, Director of Professional Services (International) at Tripwire, the news that the government’s own Cyber Essentials scheme had suffered the breach is a prime example of how all organizations need to stay focused on the fundamentals; the people, the process and the technology.
Edon commented:
"The fact that a Cyber Security organisation can lose personal data through a misconfiguration should act as a stark reminder to us all just how relevant security fundamentals remain. File and System Integrity Monitoring is regarded to be one of the foundational security controls that form the basis of a technical security strategy. This breach is a prime example of how all organizations need to stay focused on the fundamentals; the people, the process and the technology."
"Educating the workforce can hugely reduce the risk of successful cyber-attacks using vectors such as phishing and URL drive-by, it can also help users identify unusual system activity that may result from malicious action."
"Incident Response is just one example of where a well-defined and regularly practised process can make a huge difference to the outcome of an incident, possibly preventing that incident from becoming a breach."
"Technology forms a large part of the Foundational Controls necessary to support a defence-in-depth security solution. Encryption, dual factor authentication, vulnerability management, change management and mail/web filtering are just a few that come to mind. The most effective method to determine which foundational controls are required is to carry out a full and comprehensive risk assessment of the business, systems and data."
Waterbriefing is media partner with the 4th Annual Industrial Control Cybersecurity Europe Summit in London this September.
Click here for more information