The operation behind the UK government’s Cyber Essentials scheme has suffered a breach exposing the email addresses of registered consultancies, it told them today.
We would like to make you aware that, due to a configuration error in the Pervade Software platform we use for Cyber Essentials assessments, the email address you used to apply for an assessment and your company name may have been released to a third party.
An unknown person accessed a list of email addresses in a log file generated by the Pervade assessment platform and your email address, company name and the IP address of the Certification Body was on that list. No other information was accessed. The other information on the assessment portal itself was not affected in any way and no-one has accessed the system, your account, the answers you provided or the report you received. This log file became accessible through a configuration error on the part of one of the Pervade systems engineers. Pervade have taken immediate steps to address the error and have resolved the issue.
Given the ransomware attack which affected the NHS in May, and this most recent issue affecting the organisation that has responsibility for UK Cyber Security, it’s probably safe to say the UKs ability to protect and coordinate is less than ideal.
It’s a shame really, as the expectations of Ciaran Martin, the CEO of the National Cyber Security Centre were so bold earlier in the year:
Our agenda is unashamedly ambitious; we want to be a world leader in cyber security.
Hopefully the National Crime Agency will take the necessary steps against the vendor for a clear breach in process.