Cyber Essentials ‘Breach’ Exposes Firms to Phishers

Some organizations signed up to the government-backed Cyber Essentials security certification scheme are at risk of phishing attacks after a configuration error by a third-party software provider exposed their corporate email addresses.

The IASME Consortium is one of six organizations appointed by the government to certify firms according to the scheme, which aims to drive up security standards by focusing on five essential technical controls which it’s claimed would prevent most cyber-attacks.

It also runs the IASME Governance standard, marketed as “a realistic alternative to ISO27001.”

However, it has emerged that problems with the software platform used to assess Cyber Essentials compliance have led to an unintended data breach.

IASME sent Infosecurity Magazine the following statement:

“A configuration error in the Pervade Software platform used by IASME for Cyber Essentials assessments meant that some company names and corporate email addresses were made available to a third party. That error was fixed as soon as we realised the issue and all affected companies have been notified. We have notified the relevant authorities and are following their advice.

"We re-iterate that the assessment platform itself was not compromised.”

Organizations signing up to be assessed by IASME and certified as Cyber Essentials compliant will be disappointed to hear that doing so has put them at risk. However, security experts played down the seriousness of the incident.

Ilia Kolochenko, CEO of web security company, High-Tech Bridge, argued that it pales in comparison to some of the recent high-profile incidents which have led to the theft of billions of user details.

"Indeed, it can facilitate phishing attacks against the companies whose emails addresses were exposed, however virtually all this data can be gathered from public sources, albeit over a much longer period of time,” he added.

“Practically speaking and due to the nature of the Cyber Essentials accreditation, all the companies from the list should have capabilities to detect and mitigate phishing attacks. Additional vigilance would certainly do no harm though."

What’s Hot on Infosecurity Magazine?