In the wake of a "sustained and determined" cyberattack targeting parliamentary email accounts last week (23 June), a number of security experts have reflected on how the incident could have been avoided, lambasting UK politicians for failing to meet basic cyber hygiene.
The British government revealed hackers probed MP accounts to identify those with weak security and said "fewer than 90" inboxes were compromised. Ultimately, officials blamed the number of successful intrusions on "the use of weak passwords that did not conform to guidance."
That guidance (here) asks staff to keep passwords at a "minimum of eight characters including upper and lower case letters and a number", says they must "not be based upon easily guessed words" and that credentials "should not be written down unless absolutely necessary."
It seems basic advice was ignored on dozens of accounts. Additionally, based on statements from the UK House of Commons, it appears multi-factor authentication – used to add an extra layer of protection to accounts – was not required on politicians' inboxes.
Questions have also been asked about why passwords were even allowed to "not conform" to official guidance - was there no system in place to enforce the rules?
"There is still more work to be done on the most basic level of security – password protection," said Neil Larkins, co-founder of security firm Egress.
"Unfortunately, we cannot trust MPs to always make the best security choices," he contined.
"There has to be a system in place to enforce a minimum requirement of password security, and provide more comprehensive training and incentives for staff to adopt better security practices."
The hackers reportedly used "brute force" tactics to crack as many accounts as possible – luckily less than 1% of the total 9,000 on the network.
Yet politicians were given ample warning that their credentials may have already been traded on the criminal underground following an article in The Times on the same day as the attack.
The newspaper exclusively reported that MP email information, pilfered from previous leaks at MySpace, LinkedIn and Yahoo, was listed as 'for sale' on the dark web.
So what went wrong?
"The key problem is that many of the passwords that have been exposed through external social media sites are the same passwords used for every day duties. This would contravene best practice and guidance," said Andrew Clarke, director at security firm One Identity.
He said the government could overcome password reuse by introducing multi-factor authentication. "To access a system, the user has to not only provide the password but also the second factor – which may be for example a code that has been sent via SMS," Clarke elaborated.
"If passwords need to be used, then a password manager tool would help on a number of fronts. Firstly, it would help re-enforce policies and data security standards and if a password is tried unsuccessfully then the system access is actually locked out."
The official government guidance requests that all "confidential documents" be separately password protected by the user.
But it remains unknown if documents or secret material was compromised. The government said an investigation is now underway.
"It's worrying that members of parliament do not seem to be clued up on the security risks of weak passwords," said James Romer, an expert at cybersecurity firm SecureAuth.
"The hackers specifically probed for those who were not following government protocol."
"This leaves the door wide open for hackers," Romer continued. "Individuals, especially those in governmental positions, need to have security more front-of-mind and realise that even the most trivial security weakness can be exploited to gain access."
The culprit behind the hack remains unclear. Speculation from unnamed security sources in British media have suggested the involvement of hackers aligned with Russia, however experts maintain it is still too early to reach any conclusion on attribution, urging scepticism.
The UK National Cyber Security Centre (NCSC), a strand of signals intelligence agency GCHQ, is spearheading the probe. On its website, it reiterated password advice following the incident.
"To help people improve their password practices and manage the many passwords they need, we recommend the use of password managers," it stated.
"We advise against the regular changing of passwords where there is no indication or suspicion of compromise. However, the advice has always been clear that where there is evidence that your password has been compromised it should be changed quickly."