Parliamentary email accounts were compromised by a brute force attack on the parliamentary network over the weekend.
And there is a long-established technology which can normally see off this kind of attack. The attack has been described as a “sustained and determined” cyber-attack by hackers attempting to gain access to MPs’ and their staffers’ email accounts. Both houses of parliament were targeted on Friday in an attack that sought to gain access to accounts protected by weak passwords.
How the attack happened
A brute force attack such as this one, will try to gain entry to an account by using software to attempt multiple passwords – these attacks are sometimes known as dictionary attacks. This is more likely to work against weak passwords and accounts that don't have two-factor authentication turned on.
Two factor authentication (2FA) technology has been used among enterprises as a verification technique for more than two decades. It has been in use by some governments for just as long. However, it’s clear that this technology was not used to protect the MP’s accounts.
Who was effected
It is believed that around 90 email accounts of those working within the buildings may have been compromised by those trying to access them. As well as MPs and Lords who use the parliamentary networks, thousands of their staff, administration teams, and others who use the buildings were at risk. In 2015, the House of Commons said it alone had 2,040 people working there.
A House of Commons spokesperson said: “The Houses of Parliament have discovered unauthorised attempts to access parliamentary user accounts. We are continuing to investigate this incident and take further measures to secure the computer network, liaising with the National Cyber Security Centre (NCSC).
The spokesman said the 12-hour-long attack was a result of "weak passwords" that did not conform to guidance from the Parliamentary Digital Service and said that an investigation is under way to determine whether any data has been lost.
For more information please see: http://www.wired.co.uk/article/uk-parliament-hack