Parliament’s cyber experts have just warned all MPs to better protect their private info following the Mail on Sunday’s story revealing a massive data breach of senior ministers’ personal phone numbers and passwords, all available on the web to anyone willing to cough up just £6.49. Including the private numbers of the PM, the Foreign Secretary and the Chancellor…

In an email sent this afternoon by Alison Giles and Mark Harbord, Parliament’s Director of Security and the Director of Cyber Security respectively, Members are encouraged to “[follow] online security best practice” and warned that the “risk of attacks by social engineering is also greater if an individual’s personal data are widely available online”. Although they do try to calm nerves a bit by insisting some of the data is “out-of-date”…

Read the full text below…

Dear Members,
You may have recently seen an article in the Mail on Sunday which highlighted a US-based data aggregation website which journalists had used to obtain the personal data (phone numbers, email addresses and in some cases passwords for sites such as LinkedIn or Dropbox) of Cabinet and Shadow Cabinet Ministers.

This security notice provides some more detail and offers advice on how to keep yourself safe online.

What has happened? The Mail on Sunday recently highlighted a US-based data aggregation website, which collates large amounts of personal data (phone numbers, addresses, email addresses, passwords, etc) found on the Internet and allows subscribers to search it by name or unique selector (e.g. email address). The data includes that of many millions of individuals worldwide and is not limited to UK Parliamentarians. Whilst most of the data on the site is already publicly available, some is ‘previously leaked’ data which the site has found online. This US-based website is one of a number of data aggregation websites offering similar services.

What’s the risk? As stated, much of the data on aggregation sites is already publicly available, or has been previously leaked onto the internet (and some is inaccurate or out-of-date). Aggregation sites make it easier for users to search for such information, which can then be used for nefarious purposes (such as sending `phishing’ attacks designed at gaining access to a user’s personal or financial details, or accessing voicemails not protected by a robust PIN). The risk of attacks by social engineering is also greater if an individual’s personal details are widely available online.

What should I do? Whilst data aggregation sites, and the data they hold, are not a new risk, it is possible that the press coverage will have increased public awareness of these services and could lead to an increase in targeting of accounts or general malicious online activity. Following online security best practice (such as using complex passwords and changing them regularly, applying two factor authentication to online accounts and completing system updates promptly) and reporting any suspicious activity will reduce the chances of a successful compromise.”