Security consulting firm insists no student gained an unfair advantage

Cybersecurity accreditation provider CREST has branded NCC Group “vicariously responsible” for employees who were involved in a cheating scandal first reported last summer.

In August 2020, CREST was made aware of potentially sensitive files posted to Dropbox and GitHub. The two caches contained content relating to the CREST Certified Infrastructure Tester (CCT Inf) and Certified Web Application Tester (CCT App) courses.

Hundreds of files were uploaded, but some were duplicates. Only 25 of these files were considered problematic, but some of the leaked material was said to have included exam and revision notes, as well as NCC Group training materials.

The identity of those who posted the material has never been established.


Read more of the latest information security industry news


In the months following, CREST refreshed the infosec courses in question and appointed an independent board to investigate, together with the assistance of the UK’s National Cyber Security Centre (NCSC).

The probe has taken 12 months to complete.

CREST has now issued a final statement on the situation, accompanied by a report (PDF), concluding that the investigation centered around two occasions, taking place between 2012 and 2014, in which “the examination-related activities of some NCC Group employees and candidates breached the CREST code of conduct and non-disclosure agreements [NDAs]”.

“As their employer, NNC Group was, at the time, vicariously responsible for those individuals,” the report says.

Lengthy investigation

The NDAs, likely broken in CREST’s eyes, involved an NCC Group employee talking about CREST exams and candidates creating notes based on the tests.

However, CREST acknowledged that there does not appear to be any “anomalies” suggesting NCC Group students capitalized on the leaked data to their advantage.

“We acknowledge that the whole investigation and review process has taken significantly longer than people would have liked,” CREST said. “It has been complex, and we have done everything we can to ensure that it has been based on high-quality evidence, thorough and fair throughout.”


RECOMMENDED Cyber awareness initiative aims to close infosec workforce gap with free school curriculum


In a statement on August 26, NCC Group said the organization “fully accepts” the results of the investigation, highlighting that there was “no evidence that NCC Group knew about, condoned, or otherwise sanctioned such activity [and] there was no evidence that any NCC Group candidate gained an unfair advantage when sitting a CREST exam”.

NCC added that improvements have been made to internal processes following an in-house investigation.

“We further support and welcome CREST’s own improvements, which we believe will benefit all members and strengthen the value the examination process has in protecting society from the ever-increasing threat landscape,” NCC Group says.

The Daily Swig has reached out to CREST for further comment and we will update when we hear back.

NCC Group declined to comment further.


INSIGHT Fight or flight: How one of the UK’s busiest airports defends against cyber-attacks