.jpeg)
More than 3,000 passwords belonging to civil servants have been exposed online since the beginning of 2024, according to new research, as experts warn it could pose a “serious risk” to national security.
A report by NordPass, using the threat exposure management platform NordStellar, found 3,014 passwords belonging to British civil servants have been leaked in the deep web – which encompasses parts of the internet that are not typically indexed by search engines– and the dark web, a small, encrypted part of the deep web that requires specific software to access and is often associated with cybercrime.
Four local authorities were named in the report as having passwords exposed online: Aberdeen City Council had 538 in total, while Lancashire County Council had 38, Newham Council had 73 and Southwark Council had 42 leaked on the dark and deep web.
It comes after The Independent revealed that hundreds of passwords and email addresses linked to UK government institutions were posted on the dark web in the last year, highlighting a major threat to UK cyber and national security. Among the most affected government departments are the Ministry of Justice with 195 exposed passwords, the Ministry of Defence (111), and Department of Work and Pensions (122).
A cyber security expert warned that the exposed sensitive data of civil servants was particularly dangerous as it could pose serious risks to the UK’s strategic interests.
Karolis Arbačiauskas, head of product at NordPass, said: “Exposure of sensitive data, including passwords, of civil servants is particularly dangerous. Compromised passwords can affect not only organisations and their employees but also large numbers of citizens. Moreover, such incidents may also pose serious risks to a country’s strategic interests.”
The report added that while the “vast majority of passwords exposed were those of employees working in regional level institutions,” the number of leaked passwords did not necessarily reflect the strength of an organisation’s internal security.
“These figures are often influenced by external factors,” said Mr Arbačiauskas. “Larger organisations, with more employees, naturally have a bigger digital footprint, which statistically increases the likelihood of credentials being exposed in a breach. In many cases, a single malware infection on an employee’s personal device or the compromise of a popular third-party website can expose dozens of accounts. Furthermore, the majority of leaks originate from external sites where employees registered using their work email addresses.”
He encouraged the practice of setting up an organisation-wide password policy, never reusing passwords, and using multi-factor authentication.
“If these passwords were not changed after their appearance on the dark web and multi-factor authentication (MFA) is not enabled, attackers could potentially access the email accounts and other sensitive information of these civil servants,” he said. “Moreover, we found hundreds of thousands of email addresses with other exposed data like names, last names, phone numbers, autofills, and cookies. This data can be exploited for phishing attacks and pose significant risks.”
It comes as the National Cyber Security Centre (NCSC) said on Tuesday that a “significant threat” posed by Chinese and Russian hackers had contributed to a record number of serious online attacks. A number of UK businesses, such as M&S, Jaguar Land Rover and Co-op have been hit by cyber attacks this year, crippling their operations and costing the firms billions.
In the year to the end of August, NCSC provided support in 429 cases, of which 204 were deemed “nationally significant incidents” – an increase from 89 in the previous 12 months. Of those, 18 were categorised as “highly significant”, meaning they had a serious impact on government, essential services, the economy or a large proportion of the UK population.
A spokesperson for Newham Council said: “It is an unfortunate reality that organisations like Newham Council will always be a target for criminals. Newham Council takes cybersecurity extremely seriously and have a number of robust measures in place to reduce risk. We regularly provide training and guidance to our staff making them aware of the risks and effective technical controls to reduce specific cyber risks. We do not comment on specific details of our cyber security controls and policies.”
The Independent has approached Aberdeen City Council, Lancashire County Council, and Southwark Council for comment.
.jpeg)
English (US) ·