In total, 26 users of the parliamentary network (a network which includes Members of Parliament, members of the House of Lords, their own staff, staff of both Houses, and a number of contractors) had their accounts directly compromised. This number is smaller than originally reported:
- Ten constituency offices were affected, comprising the accounts of six MPs and ten MPs’ staff.
- One user was a Member of the House of Lords, and one was a member of their staff.
- Five users were personnel from the House of Commons Administration (in one case a contractor); two were members of staff from the House of Lords Administration. One user was a sub-contractor of the Parliamentary Digital Service.
We will not be publicly commenting on the identities of any parliamentary account holders affected.
These compromises were made possible by the use of passwords that were compliant with the technical controls in place but did not conform to guidance issued by the Parliamentary Digital Service. Three of the six MPs had accounts compromised because their mailboxes were linked to their members of staff whose passwords were compromised.
In total, 39 mailbox accounts were compromised. This number is greater than the total of 26 users because two users had more than one mailbox; and because there were also 11 generic organisational mailboxes.
The National Crime Agency and National Cyber Security Centre are both investigating who was responsible.
All users of the parliamentary network whose passwords were compromised have been contacted directly.
MPs and members of the House of Lords are data controllers, as defined in the Data Protection Act 1998, independently of the House of Commons and the House of Lords. The Administrations of both Houses of Parliament are actively supporting affected Members and their offices with advice, guidance and provision of technical information. As the data controller, it remains the responsibility of Members to assess the risk of harm and data loss and decide whether to notify the Information Commissioner’s Office (ICO) of a data breach; and whether and how best to notify people impacted. That is in hand.
The Clerks of each House are data controllers in relation to their own staff, contractors and generic organisational mailboxes. Both Houses notified the ICO of a data breach on Wednesday 5 July 2017. We are working closely with the ICO, to provide further information and updates on request. Analysis has been done of the volume and nature of data in the relevant mailboxes, and an assessment made in line with ICO guidance. In the case of one compromised generic organisational mailbox, a Commons Select Committee mailbox, 77 people have been notified that personal data (information on personal circumstances provided to support the work of the Committee) was contained in the mailbox and so may be at risk of compromise.
We have invested heavily in cyber security measures and will continue to do so. A series of technology changes – including multi-factor authentication – have already been made to increase security.
UPDATE DECEMBER 2017
Following an investigation into the unauthorised access of a small number of parliamentary accounts in June 2017, the Information Commissioner’s Office (ICO) has decided that no formal action is necessary against either the House of Commons or House of Lords. The ICO recognises that Parliament was actively engaging in a cyber security programme which was already addressing potential vulnerabilities relating to passwords. The ICO has made recommendations which, where they are not already in place, will be taken forward by the Parliamentary Digital Service in conjunction with Members and staff of both Houses.