Tens of thousands of email accounts belonging to public sector officials have been found on the dark web following a Futurescot investigation.

More than 42,000 “leaked credentials” and “compromised accounts” are listed on underground hacker forums, raising fears about potentially crippling cyberattacks. According to our probe, the dark web holds a vast cache of data stolen via third party website breaches, which are used as source material by hackers.

The investigation – conducted with Israeli dark net threat intelligence firm Kela – uncovered the trove of data from illicit “dump sources”, which contains data previously exposed as part of other breaches. Our sweep looked at more than 50 Scottish public sector organisations including the NHS, councils and central government, to see whether they may have employees or service users whose details from past breaches – including email addresses and often passwords – have ended up on dark web sites.

We are not specifying the breakdown of data among those organisations in order not to attract potential hackers to mount attacks.

However, the leaked data was described as a “wake-up call” following a string of recent ransomware at-tacks which have caused significant disruption across the public sector. On Christmas Eve, the Conti cybercrime group locked 1,200 staff from the Scottish Environment Protection Agency (Sepa) out of its network following a ransomware attack. Sepa refused to pay the ransom and had its internal, sensitive data released on the attackers’ dark web blog site as punishment. And the Glasgow homeless and social care provider, Aspire, was also hit by the same gang in April.

Scottish Conservative chief whip Stephen Kerr said: “The public will be alarmed to see that so much leaked email data across Scotland’s public sector bodies is so easily accessible for hackers. “This data must be a wake-up call to ensure that the Scottish Government, local authorities and health boards have the most robust measures in place to avoid being attacked by hackers across the world.

“There can be absolutely no room for complacency when it comes to keeping vital information safe from being leaked, especially when we know that hackers are using more and more creative methods to try and access data.”

Some of the credentials in the leak sources appeared in multiple breaches. For example, 24 emails were leaked at least 100 times in various breaches. It is important to stress, though, that much of the public sector relies on its own monitoring services for dark web exposure and vulnerabilities, and many will have been aware of – and performed a clean-up operation – on dump sources identified by Kela’s RaDark monitoring tools. The third-party breaches where thousands of the credentials belonging to the 32 local authorities, 14 health boards and the Scottish Government appeared were also historic.

That does not mean there is no risk to public sector services, just that many organisations will have had an opportunity to prevent any further loss. One of the largest breach “compilations” where much of the data appeared was in the so-called “Collections #1-5” a super-list of exposed data circulated by hackers in January 2019. The best known and biggest, dubbed “Collection #1”, contains over 1.5 billion email-password pairs – obtained from combining over 10,000 different breaches and credentials lists. In October 2019, security researchers also found 1.4 billion personal records on an unsecured “elastic server”.

The records, later attributed to the data enrichment platform People Data Labs, contained information on people including email addresses, phone numbers, and social media profiles. Another large breach identified in the report was that of a LinkedIn hack in 2012 where over 160 million user credentials were leaked online. The hackers started to sell the credentials online in May 2016. Some of the credentials were emails along with encrypted passwords, while some credentials were emails only.

Leaked credentials from third party breaches do not give hackers direct access to an organisation whose domain information is listed in the exposure. For example, a government employee whose details were exposed via the LinkedIn hack may have used a different password to access their work email.

However, Kela stressed that the risk lies in users or employees re-using the same or similar passwords for multiple services they log-in to, giving hackers the opportunity to brute force their way directly into a domain to which the email address belongs. They can also use the credentials to mount further spear-phishing campaigns designed to trick users into exposing their credentials – or sensitive information – or to download a malicious attachment with a “payload” that can be used for further attacks.

The 515 compromised accounts found in the Futurescot investigation represent a much higher threat level to organisations, as the credentials are stolen from a specific machine that is infected by malware. The credentials do not provide access to the machine, though, they provide access to specific resources that can be accessed. For example, if a computer is infected, it can steal saved credentials for common web services such as Amazon, LinkedIn, or Twitter and – depending on the functionality of the malware – grab credentials by keylogging even if they were not saved.

That information can be used to directly access a network and mount a cyber-attack. However, we found that the majority of compromised accounts belonged not necessarily to employees of the organisations – but the users of external services, for example citizens accessing NHS jobs sites or council wifi.

In those scenarios the risk levels are not thought to be as high, as it is unlikely those users would have the administration privileges to cause severe network disruption. The revelations come at a time of heightened tension for public sector digital teams, particularly across the NHS, as a recent ransomware attack – again by the Conti group – on the health service in Ireland has illustrated.

Deryck Mitchelson, director of digital and security for NHS National Services Scotland (NSS), said: “We are aware that a number of NHS Scotland credentials have been leaked on to the dark web. This is an issue that impacts organisations across the public and private sectors.

“The NHS is the largest employer in Scotland. Given the size of our workforce – and the number of former employees – the proportion of credentials available on the dark web is low.

“We note that a large number of these leaked credentials are out-of-date. Many include email addresses such as nhs.net that are no longer active.

“This reflects our robust and proactive approach to data protection and information governance. We constantly monitor threats and work with partners to mitigate against those threats.

“Our cloud-based digital solutions are designed to provide the highest standard of data assurance. External partners are also required to evidence robust data protection policies and practice and to commit to working with us to continually drive improvements in these areas.“

“Where data has been leaked, it often relates to third-party sites, such as recruitment sites, where no patient or clinical information is held.

“No system is perfect but we can reassure everyone that we are continuing to apply and improve the highest standards of data governance. We also hold all of our suppliers and partners to that same standard.”

Councils were also among the organisations whose employees and users’ credentials were leaked on the dark web. In response to our research, Edinburgh, Glasgow and Fife councils underlined the importance they place on cyber resilience and security and stressed that they follow official national cyber guidance.

A Glasgow City Council spokesperson said the security team within its IT provider “reviewed the information received and have concluded that there is no risk to any sensitive data associated with this”, and that it had two factor authenti-cation (2FA) in place.

A City of Edinburgh Council spokesperson added: “Cyber resilience and security are critical to the council and our IT partner, CGI. We apply a robust approach and processes in line with Government and National Cyber Security Centre (NCSC) guidance to keep our networks and systems as safe and secure as possible.

“Whenever our monitoring arrangements or intelligence from external sources identifies possible issues, we act quickly and decisively to address them and apply further improvements or learning for our future security arrangements.”

Martin Kotlewski, Fife Council’s service manager (solutions and service assurance), said: “We take the threat of cyber-attack seriously and follow government and NCSC guidance to manage our cyber resilience. This includes monitoring various intelligence sources and acting upon any emerging threats.

“As the third largest council in Scotland it is normal to have a proportionally higher number of events detected. Staff are provided with guidance around choosing secure passwords and the importance of not re-using them across internet sites. Strong passwords are only part of a layered security approach, and the council has mandated the use of multi-factor authentication for remote access since 2011.”

Providing a broader perspective Andy Grayland, chief information security officer at the Digital Office for Scottish Local Governnment, said: “Security and IT professionals have known for some time about the risks associated with username and password data leaks on the dark web and wider internet.

“These leaks have driven the uptake of a number of technologies across the public sector and beyond which mitigate the likelihood of this data being useful to a future hacker. Users will always lose their credentials, there is very little organisations can do about that, but there are a multitude of tools avail-able to help minimise the impact.

“The biggest single improvement organisations can make to their authentication process is to implement multi-factor authentication. Password managers are also a useful tool to enable users to have a unique password for every account they own, minimising the impact of stolen credentials.”

Whilst it did not feature among the largest number of leaked credentials, the Scottish Government has a national responsibility for setting cyber policy and standards, which have recently been updated in a new “strategic framework for a cyber resilient Scotland”, and also recently playing a role in establishing the CyberScotland Partnership.

A Scottish Government spokesperson said: “The Scottish Government provides its users with extensive guidance on password management including not reusing their password on any other systems.

“We follow best practice from the NCSC to ensure our password policies are both robust and secure. We have an education and awareness programme in place that educates our users on good cyber behaviours.

“The Scottish Government’s accounts and infrastructure are monitored by its cybersecurity operations centre which has robust monitoring and investigatory processes in place.

“We have a layered approach to cybersecurity and have in place strong cyber defence measures against the cyber threat, including multi-factor authentication, thus the presence of email addresses or user credentials on their own on the dark web are not sufficient indicators of threat or compromise.

“Also, email addresses for a citizen-centric public sector organisation will almost always be public and are included on almost all correspondence and communication – including Freedom of Information requests which are widely published on internet sites.”

Tools shine a light on threats

Kela’s RaDark tool was also deployed to simulate the reconnaissance path used by hackers to scan a network for vulnerabilities based on its “attack surface mapping” capabilities. To find the best “vector” for an attack, cybercriminals will often look for outdated technologies or open ports to find their way in. According to Kela’s analysis across the public sector domains, it found “multiple potential compromise points”, including exposed remote access services that could enable an attacker to access and further compromise a network, and outdated web technologies whose “inherent vulnerabilities could lead to an attack on the organisation’s website”.

David Carmiel, Kela’s chief executive, said: “Nowadays, every organisation – private or government, small, medium, or large, is constantly at risk due to the ever growing cybercrime ecosystem. “Cybercriminals continually search for new opportunities to achieve one simple goal: monetise the data they obtain.

“The reason we do what we do at Kela is to provide our clients with ongoing visibility into their attack surface so that they can neutralise their most relevant cyber threats before damage is caused.

“By doing so, we are essentially helping our clients uncover the unknown cyber threats that they are constantly facing. Our mission is to successfully take away the fear of those unknown threats by automatically penetrating the hardest-to-reach corners of the cybercrime underground and turning general data into unique, contextualised and actionable intelligence relevant to each client.”