back to article Breach at UK.gov's Cyber Essentials scheme exposes users to phishing attacks

The operation behind the UK government's Cyber Essentials scheme has suffered a breach exposing the email addresses of registered consultancies, it told them today. The scheme's badges are required by suppliers bidding for "certain sensitive and personal information-handling [government] contracts". Companies were notified of …

  1. Anonymous Coward
    Anonymous Coward

    Who accredits the accreditors?

    1. Destroy All Monsters Silver badge

      Accradeeditors?

    2. Anonymous Coward
      Anonymous Coward

      Who accredits the accreditors?

      .. and who holds them to reasonable compliance with security and privacy standards?

      These .org.uk people run a mailserver in the US.

  2. Frumious Bandersnatch

    the Morissette Scale?

    You mean that song with a list of non-ironic things interspersed with a refrain of "Isn't it ironic?"

    No, Alanis, it is/they are not.

    1. lglethal Silver badge
      Joke

      Re: the Morissette Scale?

      Maybe she was being ironic?

    2. Anonymous Coward
      Anonymous Coward

      Re: the Morissette Scale?

      That's the whole idea, the song was Ironic in that it didn't have any irony just bad luck etc..

      You could also argue that you're so vain by Carly Simon was ironic because the song was in fact about them.

      Ring-a-Ring-of-Roses could also be ironic in that it's a nursery rhyme for young children about the black death.

      There's also a fine line between irony and sarcasm.

      1. Anonymous Coward
        Anonymous Coward

        Re: the Morissette Scale?

        Ring-a-Ring-of-Roses could also be ironic in that it's a nursery rhyme for young children about the black death.

        Actually, these days, its pretty much confirmed as having nothing to do with the Plague.

        1. BebopWeBop Silver badge

          Re: the Morissette Scale?

          Actually, these days, its pretty much confirmed as having nothing to do with the Plague.

          Ahh well another misconception shattered by people looking at the evidence!

    3. Paul Crawford Silver badge
      Coat

      Re: the Morissette Scale?

      I read that initially as the Morissey scale. Not sure if that counts as ironic or not.

      Its the one with the book in a pocket about being miserable now =>

      1. CrazyOldCatMan

        Re: the Morissette Scale?

        I read that initially as the Morissey scale.

        Which ranges from "I'm mildly upset" to "I'm writing songs for people to top themselves to". With very little between the two extremes apart from a bit of "No-one else appreciates my narcissism".

        (Not a fan. I liked the music, just not the depressing lyrics or the haphazard way they were delivered)

    4. Roj Blake

      Re: the Morissette Scale?

      The SI unit of irony is the kilospoon.

  3. RJL

    The comment (below) that is included in the main article is irrelevant and just plain daft because every company passing the Cyber Essentials scheme (IASME or otherwise) have their details published on the web anyway. Go to any of the main accrediting bodies and you'll see this. It's freely available information.

    "We paid to be audited and registered with the UK Govt Cyber Essentials scheme, in order to be able to do business with govt organisations," one affected worker told El Reg. "Turns out that the info has been leaked, which I guess means that someone now has a list of companies that work with the govt."

    1. John Brown (no body) Silver badge

      But those who applied and failed won't be on the public list. Maybe the phishers will be after those companies to "offer services" on how to pass?

    2. MarkItZer0

      Nope. Going public is completely optional on the CREST scheme.

  4. Mike Moyle

    "We would like to make it clear that the security of the assessment platform has not been compromised. Your account, the answers you provided in the assessment and the report you received are secure. No information other than your email address and your company name was accessible to the third party."

    Translated: "Pay no attention to that shoe hanging in mid-air."

    1. Keven E

      Nobody really knows

      First it was your email address and the company name. Then it was revealed it was email, company and originating IP address. Next (of course) it's email, company name , IP address and exactly what service you provide,... then (just to keep each blow from getting to overwhelming) it's, well, email, Company name, IP addy, specific service and the project manager's significant other's maiden name,... and then...

  5. EveryTime

    A 'bug bounty' is more likely to be trap than a reward

    A company representative said "the researcher involved may have earned himself a bug bounty if he had approached the company directly".

    The researcher "may" have earned a bounty, not "would" have earned a bounty. Any bounty would likely be more of a trap than a reward: "here is a $1 so that we can sue you to oblivion for violating a contract to never reveal this happened".

  6. RegGuy1 Silver badge

    An unknown person accessed a list of email addresses in a log file

    What? They don't audit their systems? Does everyone just use the 'admin' account?

    Aren't these supposed to be clever spooks?

    1. jaywin

      Re: An unknown person accessed a list of email addresses in a log file

      Maybe the Government should come up with a scheme to help people with protecting their digital resources?

    2. Wiltshire

      Re: An unknown person accessed a list of email addresses in a log file

      "Aren't these supposed to be clever spooks?"

      Indeed they are. But all the spooks I've met (a few) are just as human as the rest of us. Forget to lock the house, argue with spouse, shout at children, forget to change the password, promise to fix the config sometime soon, have a list of bugs to fix sometime soon, get distracted...

  7. Anonymous Coward
    Anonymous Coward

    Grammar, John

    "... the researcher involved may have earned himself a bug bounty ..."

    Did he or didn't he earn a bounty?

    Or do you mean "... might have ..."?

  8. This post has been deleted by its author

  9. Anonymous Coward
    Anonymous Coward

    Researcher = Black Hat Hacker

    1. Professional disclosure, inform so they can make good, no disclosure thus not professional.

    2. Seems to be off the back of Pervades OpIndex tool publicity, so likely to be a TOR user = dubious, I wonder if TOR was used in the attack/research.

    3. All the information is in the public domain anyway

    4. Any further research/attacks on those listed will just add to balance that script kiddie researchers like this are just malicious. (some are white hat, and are doing good, for the better of us all)

    IASME/Pervade/Certification Bodies have informed the clients that were listed = Professional ethical behavior.

    Businesses doing Cyber Essentials i.e getting the basic right, now have good reason, as this case proves, on the internet no one knows your a dog and the more that get muzzled the better.

    AnonCow

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021