Up to 90 Parliamentary accounts have been compromised in what appears to be an unsophisticated "brute force" attack on the email system used by both Parliamentary workers and Members of Parliament alike.
"As a result, some Members of Parliament (lawmakers) and staff can not access their email accounts outside of Westminster", it said, adding that IT services at Parliament itself are working normally.
The on-going investigation has so far revealed a brute-force style attack that that attempted to identify "weak passwords that did not conform to guidance issued by the Parliamentary Digital Service". All of the affected accounts were using passwords that fell below the security standards set by the Parliamentary Digital Service.
"IT services on the parliamentary estate are working normally". Simple security measures like multifactor authentication - requiring confirmation by app or text message before logging in - would make it much harder for hackers to gain access to email accounts. That means that the attack did not affect accounts hosted on the gov.uk domain, which ministers - all of whom are MPs - are instructed to use for any confidential work or communications.
"It would be inappropriate to comment on the other questions while investigations are ongoing", a spokesman tells ISMG.
The attack has been described as a "sustained and determined cyber attack", which was first picked up on Friday and affected "fewer than one per cent of the 9,000 users of the IT system", according to Chris Rennard, a member of the Liberal Democrat party. Multiple media outlets have quoted unnamed sources in the British intelligence sphere suggesting that the attack must have been sponsored by a nation state.
Security agents believe that a foreign government, rather than a criminal group, carried out the attack, and that only Russia, China, North Korea or Iran would have the capabilities and motivation to do so, according to sources speaking to the Guardian.
The same source, however, adds a massive caveat: "The nature of cyberattacks means it is notoriously hard to attribute an incident to a specific actor".
Liam Fox, Britain's International Trade Secretary, told ITV News that the attack was "a warning to everyone: We need more security and better passwords".
"We know that our public services are attacked so it's not at all surprising that there should be an attempt to hack into parliamentary emails".
Forcing parliamentarians to use more secure passwords would also hinder these attacks.