Members of UK Parliament Have Their Emails Hacked in Brute Force Attack
Email isn’t just one of the most convenient ways to communicate — it’s also the easiest way for a hacker to uncover information about you. In the final week of June, the Parliament of the United Kingdom experienced its very own cyber attack. The attack focused solely on Parliament email addresses and was not sophisticated in nature: it was a regular brute force attempt. However, the attack brought the network to a standstill.
By trying common passwords and as many other combinations as possible, the hackers eventually compromised roughly 90 email accounts. Although that accounts for only about 1% of the total number of active email addresses in Parliament, that still signifies a serious problem. The House of Commons issued a statement stating that they were investigating to determine if the attackers succeeded in stealing anything from the compromised accounts.
Even the mild success of this attack highlights two significant problems endemic not just government cyber security, but to cyber security practices in general. First, a brute force hack shouldn’t be able to compromise passwords. A strong password policy that disallows common weak passwords and enforces rules for strength can help render brute force attacks unfeasible for an attacker.
Second, why isn’t there a stronger perimeter defense in place to safeguard these important email accounts? Many corporations, for example, require a VPN in order to access email – and VPN access can be setup with two-factor authentication (2FA) in order to provide a strong defense against unwanted access. While it’s certainly convenient to access your email from anywhere without a VPN, this incident demonstrates the sacrifice in security by making access “too” convenient – and that trade-off at a government level could put things like national security at risk.
Despite the limited disruption to Parliament’s activities, the fact that attackers could breach any government accounts so easily is worrying. It puts a spotlight on the need for governments and enterprises to take cyber security seriously at all levels. Otherwise, it will continue to be all too easy for bad actors to launch attacks on sensitive data.