The Guardian reports that the British Houses of Parliament were targeted yesterday by hackers who attempted to break into email accounts of MPs and their staff.
The team responsible for securing the Houses of Parliament’s IT systems are said to have taken steps to block hackers from accessing accounts, but this apparently has blocked MPs from remotely accessing email inboxes.
The Guardian quoted an email which it claimed had been sent to affected users:
“Earlier this morning, we discovered unusual activity and evidence of an attempted cyber-attack on our computer network. Closer investigation by our team confirmed that hackers were carrying out a sustained and determined attack on all parliamentary user accounts in an attempt to identify weak passwords.”
“These attempts specifically were trying to gain access to our emails. We have been working closely with the National Cyber Security Centre to identify the method of the attack and have made changes to prevent the attackers gaining access, however our investigation continues.”
The attack comes just days after it was being reported that online criminals were offering for sale the passwords of government officials – seemingly gleaned from the massive LinkedIn data breach of 2012 – although it’s too early to say whether this attack is definitely linked.
Statement regarding cyber incident. pic.twitter.com/fAbDkAfdbj
— Commons Press Office (@HoCPress) June 24, 2017
Details of the cyber attack on the Houses of Parliament email systems are presently sketchy, but it would be bonkers if any MP or their staff was not following these sensible precautions:
- Use a unique, hard-to-crack, complicated password to access your email account. Using an easy-to-guess password, or using the same password on different sites is a recipe for disaster.
- Enable two-factor authentication (or two-step verification) to better defend their account, making it harder for a criminal to break in even if they did manage to determine your password. If it’s good enough for the cast of Game of Thrones it should be good enough for you.
- Exercise caution over opening unsolicited email attachments, or entering login credentials without being certain that you were on a legitimate site.
- Listen to our “Smashing Security” podcast about securing webmail (helpfully embedded below), where we describe numerous tips that can be used to better defend your email account from hackers.
Update: On Sunday evening, the House of Commons press office issued an updated statement on the incident:
Parliament’s first priority has been to protect the parliamentary network and systems from the sustained and determined cyber attack to ensure that the business of the Houses can continue. This has been achieved and both Houses will meet as planned tomorrow.
Investigations are ongoing, but it has become clear that significantly fewer than 1% of the 9,000 accounts on the parliamentary network have been compromised as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service. As they are identified, the individuals whose accounts have been compromised have been contacted and investigations to determine whether any data has been lost are under way.
Parliament is now putting in place plans to resume its wider IT services.
1% of 9000 accounts? That feels to me a little like some positive spin is attempting to be put on some lousy security.
As well as reminding users that it is essential to have strong, hard-to-crack and unique passwords, it would also be sensible for the Houses of Parliament to enforce two-factor authentication when logging in remotely to access email accounts, and to put in place some rate-limiting to prevent attackers from trying to brute force their way into accounts.