The third-party mailbox used by Computacenter employees and contractors to deposit data for security clearance applications has been hacked and used in phishing scams.
The company, one of Europe's largest resellers, counts some of the biggest names in financial services among its corporate client base, and sells to a raft of local and central government customers.
Computacenter wrote to its staff yesterday to confirm the incident:
We have established that a mailbox provided by a third party as part of the vetting service it provides to Computacenter UK Ltd has been the target of a cyber security attack. Unfortunately, we believe the mailbox may have included data relating to you.
The mailbox was used to collate data from individuals when information relating to their security clearance applications was deemed to be missing or incorrect. The information requested could include ID data, contact details, bank details, addresses and employment history.
The "attacker" gained entry and changed the password for the mailbox, which system audit logs showed prevented further access by Computacenter. The mailbox was then used to send phishing emails.
"However, these logs cannot tell us precisely what was in the mailbox at the time of the attack or whether the data was exported or just deleted," the mail to staff stated.
On being made aware of the attack, Computacenter said it initiated the Group Information Assurance compliance methodology, establishing that other systems connected to the security vetting process were unaffected and "secure workaround processes for security clearance have been implemented".
The reseller also, obviously, blocked further unauthorised access to the mailbox, stopped using it and "advised users not to send information to it".
"The mailbox will be permanently deleted once the investigation and root cause analysis is completed," the memo to staff added. "We would also like to re-emphasise that the attack was not on Computacenter's own email system."
That will come as small consolation to any employee or contractors whose details were exposed in the leak.
The company added: "Whilst we believe that the motive for the attack was disruptive rather than exploitative, you should consider the possibility of identification theft or fraud." Depending on the type of information provided, staff were urged to monitor account statements for "evidence of unauthorised activity".
Computacenter is offering a 12-month free ID monitoring service, but to access it staff and contractors need to email the UK Vetting Team.
One source who sent data to the affected mailbox told us it was used for vetting Computacenter workers for all sorts of sites and customers. He told us the company requested various forms of documentation including a passport, driving licence and bank statements.
"I was told if I did not provide them I could not be on-site. Now it's a custom identity fraud kit," one of our sources said.
Computacenter has told Britain's Information Commissioner's Office of the security breach. The Register asked the ICO and Computacenter to comment. ®
Updated 11.14BST to add:
An ICO spokesperson contacted us to say: “Computacenter has made us aware of an incident and we will assess the information provided”.