A "determined" attacker has breached the email system of the UK Parliament over the weekend, according to a statement put out by the UK government on Sunday afternoon.
The attack took place on Saturday and consisted of a brute-force attack that attempted to guess the passwords of email accounts belonging to various members of Parliament (MPs).
Initially, the Parliament's system administrators detected the attack and shut down the email servers to prevent compromise.
In a statement on Twitter, the House of Commons press office brazenly said the "Parliament has robust measures in place to protect all our accounts and systems."
A day later, those robust measures didn't hold up, and the UK Parliament had to eat its words.
"Investigations are ongoing, but it has become clear that significantly fewer than 1% of the 9,000 accounts of the parliamentary network have been compromised as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service," the UK government said in a statement. "As they are identified, the individuals whose accounts have been compromised have been contacted and investigations to determine whether any data has been lost are under way."
Victim-blaming should not have been the Parliament's main reaction to the recent cyber-attack. Any system administrator knows that users will use weak passwords no matter how many warnings they issue.
Furthermore, being compromised via a brute-force attack when there are multiple methods of protecting servers against such tactics is just unbecoming to a government that's currently pushing for introducing encryption backdoors.
If the UK government experts can't secure a trivial email server, how can anyone trust them to protect any backdoors to encrypted communications?
Furthermore, the brute-force attack that gained access to these accounts came two days after reports of Russian hackers selling access to British MPs passwords extracted from various public data breaches. The Parliament's IT staff should have shown an abundance of caution and changed everyone's passwords back then, let alone use anti-brute-force measures or two-factor authentication by default, at all times.