The IASME Consortium, a Cyber Essentials accreditor, has suffered a data breach. Email addresses of registered companies were stolen.
Any company wishing to bid for sensitive and personal information-handling, or government contracts must become accredited under the scheme.
Philpott said by email that “due to a configuration error in the Pervade Software platform we use for Cyber Essentials assessments, the email address you used to apply for an assessment and your company name may have been released to a third party.”
Philpott wrote in the notice that the breach occurred due to a configuration error, “which has since been resolved.”
She assured customers that the assessment platform itself was not compromised and none of the information they provided to it, apart from the email address, taken.
A spokesperson for CREST got in touch with SC Media UK to say that the story on The Register misreported IASME's position, saying, “IASME is one of six Accrediting Bodies for the Cyber Essentials scheme run by NCSC. CREST is also one of them and its Certifying Bodies are not affected by this issue.”
There have been many mixed reactions to the breach, some pointing out the irony “Maybe they should have had a security assessment, think there is a body who oversees those.. oh wait..”, others asking more pertinent questions like, “Can I ask why @CyberEssentials uses Pervade technology, who sell technology which directly allows hacking and DDoS?”
The Register's John Leyden opined that “Exposing hundreds of corporate email addresses is bad but it pales in comparison to breaches of payment information or weakly encrypted login credentials of millions of consumers.”
“Those behind the scheme should be setting an example for the rest of the industry so it's only fair to hold them to higher standards.”
As expected, the breach notice from Philpott goes on to suggest that companies who are registered on their system should be wary of phishing attacks.
Both the Information Commissioner's Office and the National Crime Agency are aware of the attack.
Javvad Malik, security advocate at AlienVault, said in a statement: "The incident illustrates that even the most security savvy organisations can make errors that can leave them exposed. Therefore it is essential to have robust threat detection capabilities in place that can monitor and alert where unauthorised access is being attempted so that the appropriate response may be taken. Having ongoing detection in place across both the network and critical hosts allows enterprises to have the assurance that systems are working as intended under the control of authorised persons."