Surge in cyberattacks targeting House of Commons

Data shows malicious emails have increased by 358 percent in 2021

Posted 26 October 2021 by Christine Horton

The House of Commons (HoC) has been targeted by more than 126 million malicious emails in 2021 so far – already a 358 percent increase on the nearly 28 million malicious emails received in January to December 2020.

This data was obtained and analysed by a Parliament Street think tank under the Freedom of Information (FoI) act.

The data revealed that there have been over 200 million malicious emails blocked by the HoC since 2018, including phishing attacks, malware and spam.  

In 2018, the HoC were targeted by 15,749,780 malicious emails, in 2019 this rose to 30,303,536, before dropping to 27,608,490 in 2020 and then surging skyward to 126,434,643 in the nine month period observed so far, from January to September, in 2021.

This suggests the final figure for 2021 could be as high as 150 million by the end of the year.

Whilst all of these malicious emails were blocked by the HoC, data breaches impacting the public sector are not uncommon. Recently, the UK Parliament’s expenses watchdog accidentally leaked the names, home addresses, and a phone number for parliamentary staffers working for Labour MP Dawn Butler.

On October 8, in response to a freedom of information request, the Independent Parliamentary Standards Authority (IPSA) published the receipts for two laptop stands purchased by Butler for her staff to use.

The receipts contained the unredacted names and home addresses of two of Butler’s staffers, who work for the MP in Parliament. Insider has redacted the staffers’ personal data.

Torsten George, Cyber Evangelist for Absolute Software said:“While the numbers reported by Parliament Street are mind-boggling, they are not something out of the ordinary. Post-mortem analysis of data breaches shows that most of today’s cyberattacks are front ended by phishing campaigns. This is not surprising, since the easiest way for a threat actor to gain access to sensitive data is by compromising an end user’s identity and credentials.

“In fact, Forrester Research estimates that 80 percent of today’s data breaches are tied to weak, stolen, default, or otherwise compromised credentials. Ultimately, stealing valid credentials via phishing attacks and using them to access a network is easier, less risky, and in the end more efficient than exploiting existing vulnerabilities, even a zero-day. Cyber security defences need to adapt to this reality. End user education and beefing up an organisation’s authentication systems by applying Zero Trust principles are two essential steps that can minimise the risks associated with phishing and subsequent cyberattacks aimed at data exfiltration.”

Public sector “one of the biggest targets”

Security specialist Chris Ross, SVP International, for Barracuda Networks added:“Our analysis from 2020 revealed that public sector organisations are one of the biggest targets of ransomware attacks due to the sensitivity of the information stored on its servers, combined with the inherent weaknesses in some of their department’s security protocols.

“Combatting this issue requires blocking the threat from the source, using advanced inbound and outbound security techniques that go beyond the traditional gateway. This includes using machine-learning enabled software to close the technical and human error gaps often found in an organisation.”

Elsewhere, Cyber expert Tim Sadler, CEO & co-Founder at Tessian said phishing attacks have become one of the easiest ways for cybercriminals to hack into an organisation, and 2021 created the perfect storm for a surge.

“Remote work meant employees were more reliant on email to stay connected with colleagues while verifying the legitimacy of an email became more difficult. It just takes one email to slip through the cracks, and one employee to fall for the scam to cause a serious security incident.

“So, as phishing attacks continue to rise and become more sophisticated, businesses must empower people to be more resilient to these threats – providing them with the tools and knowledge they need to spot the scams and avoid falling victim – wherever they choose to work,” he added.