(Bloomberg) — Staff at the U.K. Parliament remain hampered after a cyberattack that compromised about 90 lawmakers’ email accounts.
To prevent the attackers from gaining access to vital data, Parliament has limited the ability of MPs to access the legislature’s computer network remotely. Those restrictions remained in place Monday. A House of Commons spokeswoman said in a statement that Parliament is planning to resume its wider IT services.
Staff arriving at Parliament Monday morning were handed notices informing them that access to the parliamentary network was suspended for all users until they changed their passwords and put in place multi-factor authentication. This is an added layer of security that requires users to present another type of identifying information beyond just a password. In this case, Parliament is asking users for a mobile-phone number that can be used to text them a security code. The notice also reminded staff how to choose a strong password.
The spokeswoman described the cyberattack as “sustained and determined.” Hackers gained access to lawmakers’ accounts that had used “weak passwords” that did not comply with government guidance, the spokeswoman said.
Last week, The Times of London reported that passwords for thousands of U.K. government officials had been made available for purchase on Russian hacker forums. The passwords were believed to have been stolen in a 2012 hack of the business social network LinkedIn.
The House of Commons said the investigation into the most recent cyberattack was ongoing. It said the attack had compromised fewer than one percent of the 9,000 accounts on Parliament’s network.
“As they are identified, the individuals whose accounts have been compromised have been contracted and investigations to determine whether any data has been lost are under way,” the Commons statement said.
The Parliament has been working with the National Cyber Security Centre, a division of Government Communications Headquarters (GCHQ), the U.K. signals intelligence agency, to investigate the hack.
Cybersecurity experts said the attack was a wake-up call. “This initial attack may have only affected one percent of parliamentary emails, but getting into one is enough,” said Jamie Graves, the chief executive officer of Edinburgh-based cybersecurity company ZoneFox. He said compromising a single account could allow hackers to penetrate vital government systems. “It really calls into question the security practices of government if, in 2017, we are still being compromised by the basics, such as weak passwords.”
Neil Larkins, co-founder and chief operating officer of London-based Egress Software Technologies, which provides message-encryption technology, said that the attack demonstrated that human beings remain the biggest security vulnerability for most computer networks. “Hackers weren’t targeting the technology, but the people,” he said.