Britain's government-backed Cyber Essentials scheme has reportedly suffered a data breach. Cyber Essentials is designed to help businesses "protect themselves against common cyber attacks", but the breach reportedly exposed email addresses and passwords of numerous consultancies that registered with the service.
The Register reports that the firms were notified of the breach via email by Dr Emma Philpott, chief executive at the IASME Consortium, which is one of the six accrediting bodies for the Cyber Essentials scheme run by NCSC (National Cyber Security Center). Firms bidding for sensitive government contracts are reportedly required to acquire Cyber Essentials scheme's accreditation. The breach was reportedly caused by a configuration error in a platform used for Cyber Essentials' assessments, provided by Pervade Software.
If the data was accessed by hackers, it could leave employees of the affected firms open to possible phishing attacks. IBTimes UK has reached out to Pervade Software for further clarity on the matter.
"We would like to make you aware that, due to a configuration error in the Pervade Software platform we use for Cyber Essentials assessments, the email address you used to apply for an assessment and your company name may have been released to a third party," the alert sent out by IASME stated.
The notice also stated that an "unknown person" had accessed the leaked data, adding that "no other information" was accessed or "affected in any way". The breach reportedly did not include systems, firms' accounts and assessment data. The alert also stated that Pervade Software had "taken immediate steps to address the error and have resolved the issue".
"We paid to be audited and registered with the UK government Cyber Essentials scheme, in order to be able to do business with govt organisations," one affected worker told The Register. "Turns out that the info has been leaked, which I guess means that someone now has a list of companies that work with the government."
The National Crime Agency and the Information Commissioner's Office have both been informed of the breach.