The Electoral Commission has been the subject of a complex cyber-attack, it has announced. The incident was identified in October 2022 after suspicious activity was detected on the regulator’s systems. The Commission says it became clear that hostile actors had first accessed the systems in August 2021. The Commission has since worked with external security and the UK official National Cyber Security Centre (NCSC).
Shaun McNally, the Electoral Commission Chief Executive, said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting. This means it would be very hard to use a cyber-attack to influence the process. Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.
“We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems.”
He added that the data in the electoral registers is limited, and much of it is already in the public domain. The registers held at the time of the attack include name and address of anyone in the UK who was registered to vote between 2014 and 2022, and the names of those registered as overseas voters. The registers did not include the details of those registered anonymously. The Commission’s email system was also accessible during the attack.
Background
Electoral registers are held and maintained by each council’s Electoral Registration Officers, but the Commission is one of a number of organisations which has copies. As required under data protection law, the Commission notified the Information Commissioner’s Office (ICO) within 72 hours of identifying that data on its systems may have been accessed. The ICO is investigating.
Comments
Mark Jow, EMEA CTO at Gigamon, described it as an incredibly sophisticated attack, purpose-built to evade its specific security controls. “The image of the unseen threat lurking in your midst is one that keeps a majority of CISOs up at night, making the Electoral Commission’s 15-month gap in detecting the hack a nightmare scenario. Despite this, blind spots continue to pose a risk to organisations’ sensitive data and security leader’s ability to respond to security incidents.
“Today’s modern, hybrid cloud networks are inherently complex, and traditional security and monitoring tools are often insufficient in addressing unseen weaknesses and security gaps in this area. It’s an ongoing visibility challenge, and one that bad actors are keen to exploit. Cyber criminals don’t solely act for financial gain, and nation-critical organisations in particular need to remain alert over any suspicious activity in their systems.”
David Bicknell, Principal Analyst, Thematic Intelligence at GlobalData, called it a highly disturbing breach that raised questions about the cyber governance of the UK’s independent and public bodies and the technical advice they are given. “This suggests cybersecurity was either not regarded as a high enough priority at the Commission or that mistakes were made. Which organization advised the Commission on its cybersecurity protection measures?
“Given the sensitive nature of its work, overseeing elections and regulating political finance, the Commission should have had the highest cybersecurity measures in place. Did the National Cyber Security Centre scrutinize them? And if not, why not? Are other public bodies similarly insufficiently cyber-protected? One would have to assume so.
“There is also concern over the time it took for this breach to be disclosed. The breach was identified in October 2022, and the Information Commissioner was notified within 72 hours. But it has taken 10 months to inform the public of the breach. This is far too much of a delay. There is a risk that some organizations could regard 10 months as an acceptable timeframe and the going rate for public disclosure.”
Sylvain Cortes, VP Strategy & 17x Microsoft MVP, at the cyber firm Hackuity, said: “Hackers are a patient bunch. Two years in a victim’s systems is far from unheard of. Equally worrying is the Electoral Commission’s inability to identify what the attackers were scoping out to begin with and may well have stolen. As the saying goes, you don’t know what you don’t know. Clearly, the Commission doesn’t have the necessary cybersecurity fundamentals in place, and they’ve admitted as much. An always-on, global view of vulnerabilities and their exploitation is mission-critical for organisations. The silver lining? The cure for negligence tends to be a wakeup call of this sort.”
