Ineffective security patching and password management allowed millions of UK voter data to be stolen, according to the country’s data watchdog.
The Information Commissioner’s Office (ICO) said that the Electoral Commission’s failure to take “basic steps” saw the records of 40 million people exposed by a breach that happened in August 2021.
At the time, hackers successfully accessed the electoral body’s Microsoft Exchange Server by impersonating a user account and exploiting known software vulnerabilities in the system.
The hackers had access to the system, including personal information held on the Electoral Register such as names and home addresses, until October 2022 – the culprits accessed the servers on several occasions without the Electoral Commission’s knowledge.
The elections watchdog only disclosed the breach to the public in August 2023 – two years later after it took place.
The ICO’s investigation found that the Electoral Commission did not have appropriate security measures in place, such as keeping servers up to date with the latest security patches.
It also had insufficient password policies in place at the time, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk.
Stephen Bonner, deputy commissioner at the ICO, said that if the body had taken these “basic steps,” it is “highly likely that this data breach would not have happened.”
Bonner added that while he acknowledged the news of the attack caused “considerable public alarm when news of this breach last year;” the ICO wanted to reassure the public that there is no reason to believe any personal data had been misused and it found no evidence of direct harm caused by this breach.
“This action should serve as a reminder to all organisations that you must take proactive and preventative measures to ensure your systems are secure,” he concluded.
Electoral Commission response
In response to the conclusion of the investigation, a spokesperson for the Electoral Commission said that it regrets that sufficient protections were not in place to prevent the cyber-attack on the Commission.
“Since the cyber-attack, security and data protection experts – including the ICO, National Cyber Security Centre, and third-party specialists – have carefully examined the security measures we have put in place and these measures command their confidence.”
The spokesperson said that it will continue to work with the UK government and wider electoral community to safeguard the safety of the system.
It added that data accessed when the attack took place does not impact how people register, vote, or participate in democratic processes.
Industry thoughts
Dominic Trott, director of strategy and alliances, Orange Cyberdefense UK, said that the cyber-attack should have been disclosed to the public earlier.
Trott said that the cyber-attack “represented not just a breach of critical national infrastructure (CNI) or personal information, but a breach of democratic instruments themselves.”
“While it is encouraging to see the ICO’s reprimand the Electoral Commission today, in future, swift public disclosure is crucial to maintaining trust and allowing individuals to protect themselves.”
He added that he was reassured by the news that the Electoral Commission has since strengthened its security posture – “we can therefore hope that if it is targeted again in future, the attack will come to light and be communicated quicker than in this instance.”
Meanwhile, Sarah Pearce, partner at legal firm Hunton Andrews Kurth said that it was interetsing that the ICO chose to use a reprimand on the Electoral Commission over a fine.
Pearce added that while the reprimand was per UK GDPR, she recognised that the ICO’s use of reprimands has been controversial in the past.
The use of reprimands should be for “minor infringements” Pearce explained. However, “the infringements in the reprimand issued to the Electoral Commission would appear to be serious – and with serious impact.”
Still, this reprimand is in line with the ICO’s revised approach to public sector enforcement, Pearce added. “In which the UK Commissioner, John Edwards outlined his plans to reduce impact on fines on the public sector and the increased use of the ICO’s wide powers, including reprimands, with fines reserved for only “the most serious cases.””
