Update: The Lord Speaker, Lord Fowler, has issued a statement on parliamentary cyber-security.
The House of Commons has confirmed in a statement that it has logged “unauthorised attempts” to access the accounts of 9000 MPs, peers and parliamentary staff on the parliamentary network.
Parliament's email system and remote access tools were switched off during the weekend as a precautionary measure.
The incident follows on from Friday's report in The Times that a list containing login details of MPs, peers and parliamentary staff was being offered for sale on Russian-speaking websites.
A Parliament press statement said, “We have systems in place to protect member and staff accounts and are taking the necessary steps to protect our systems.”
However, the Parliamentary Digital Service (PDS) has been criticised by cyber-security experts for failing to provide other means of protection for email accounts.
A Parliamentary spokesman told the BBC, “The parliamentary network was compromised due to weak passwords which did not conform to guidance from the Parliamentary Digital Service.”
The spokesman added: "As they are identified, the individuals whose accounts have been compromised have been contacted and investigations to determine whether any data has been lost are under way."
Parliament said that “significantly fewer than 1 percent of the 9,000 accounts on the parliamentary network have been compromised”.
The Guardian's “security source” has already attributed the attack to Russia. No further explanation had been given as to how it had reached this conclusion apart from the fact that the credentials were being offered for sale on Russian-speaking forums.
Parliament described the incident as “ongoing” and said it is working with the National Cyber Security Centre (NCSC) to identify the culprits.
Parliament says the NCSC is working to “to identify the method of the attack and have made changes to prevent the attackers gaining access”.
SC has contacted the NCSC for comment.
Neil Larkins, co-founder and COO of Egress Software Technologies said in a statement: “There are technical measures that could have been put in place to stop this attack. For example, access can be restricted to known IP addresses, which would mean that anyone on an unknown external device trying to get access – even with the correct password – would be denied in the first instance.”
Larkins added: “Furthermore, as many MPs have highlighted, the real risk of this attack was that constituents' emails could be accessed, or that email content could leave MPs vulnerable to blackmail. If, however, the government had implemented message-level encryption, sensitive content would be secured and would require a separate access control.”