MPs Warned Over Data Leaks Linked to Official Email Addresses

UK MPs have been warned about using their parliamentary email accounts for anything other than work after a Swiss online service provider revealed that 216 data breaches had been linked to MPs’ email addresses. Over two-thirds of MPs’ email addresses from the UK parliament were found on the dark web, although no accounts were found to be at current risk. Security experts warned that leaked passwords could be used for hijacking victims’ accounts if the same passwords were reused and that some politicians used their work email addresses for services including LinkedIn, Dropbox and dating websites.

Proton’s research also found that 68% of UK parliamentary email addresses appeared on the dark web compared with 44% for European Parliament members and 18% for French MPs. Proton examined 2,280 official email addresses, including 650 from the UK Parliament, 925 from the French Parliament, and 705 from the European Parliament. Politicians were reminded not to recycle passwords and to use two-factor authentication.

Proton also warned that if leaked passwords were reused by politicians, and two-factor authentication not used, hackers could access government systems. The company found sensitive information linked to politicians’ email accounts including their dates of birth, home addresses and social media accounts. In addition, 216 UK parliamentary passwords were exposed in plaintext including 30 linked to the worst affected MP. In comparison, 161 MEPs’ passwords were exposed, with the most targeted MEP exposed for 27 times; and 320 passwords linked to French lawmakers were exposed, with one politician targeted 137 times.

Security specialists also urged politicians not to use parliamentary email accounts for anything other than work. They recommended using a password manager and multi-factor authentication. A parliamentary spokesperson said the body had robust cybersecurity measures in place and provided information to users about risk management. No MPs are currently in place because Parliament has been dissolved in preparation for the 4 July general election.

Individual MPs and staffers have now been offered a new service by the UK’s National Cyber Security Centre (NCSC) designed to prevent access to malicious domains. The free Domain Name System (DNS) filtering opt-in service offers an extra layer of security. Users are warned if they attempt to access a malicious domain from home or another device and outgoing traffic is blocked if its destination is such a domain. The NCSC’s director for national resilience and future technology, Jonathon Ellison, urged users to sign up, warning those with important roles in democracy were a frequent target for hackers.