The Electoral Commission failed to do basic patching on its ‘out of date’ infrastructure, the data protection watchdog the ICO has stated in a reprimand to the UK’s Electoral Commission.
In August 2021, unspecified hackers accessed the Electoral Commission’s Microsoft Exchange Server by impersonating a user account and exploiting known software vulnerabilities. Until October 2022, the attackers had access to the personal information held on the electoral register, including names and home addresses – personal information of about 40 million people.
An alert had been raised in October 2021, when an employee reported that the server was sending spam email. The Commission reported the matter to the UK official National Cyber Security Centre, which called on the Commission to hire an accredited IT investigator.
The servers were accessed on several occasions without the Electoral Commission knowing, the ICO found. The Electoral Commission did not have appropriate security measures in place to protect the personal information it held. In particular, it did not ensure its servers were kept up to date with the latest security updates. The security patches for the vulnerabilities exploited in the cyber attack were released in April and May 2021, months before the attack.
Nor did the Electoral Commission have sufficient password policies in place at the time of the attack, the watchdog added; many accounts still using passwords identical or similar to the ones originally allocated by the service desk.
Stephen Bonner, Deputy Commissioner at the ICO, said: “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands.
“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.
“I know the headline figures of 40 million people affected caused considerable public alarm when news of this breach emerged last year. I want to reassure the public that while an unacceptably high number of people were impacted, we have no reason to believe any personal data was misused and we have found no evidence that any direct harm has been caused by this breach. The Electoral Commission has now taken the necessary steps to improve its security.
“This action should serve as a reminder to all organisations that you must take proactive and preventative measures to ensure your systems are secure. Do you know if your organisation has installed the latest security updates? If not, then you jeopardise people’s personal information and risk enforcement action, including fines.”
In a statement, the Electoral Commission said that it had made changes to its approach, systems, and processes.
For ‘lessons learned’ from other cases of reprimands, visit the ICO website. For some years ICO policy has been to avoid fining public authorities.
Comments
Adam Marrè, Chief Information Security Officer at the cyber firm Arctic Wolf said: “This is yet another stark reminder of the importance of having basic cybersecurity measures in place – particularly as foreign influences continue to target these kinds of organisations in the UK and beyond.
“As we navigate election year around the world, protecting these institutions needs to be a number one priority. It is also vital these organisations increase their cyber resiliency themselves. This includes continuous security testing, and working with trusted outside experts to identify weaknesses and take the necessary steps to address them. This will ensure we are in the best possible state to protect ourselves in the future and crucially, restore voter trust worldwide.”
Dr Martin Kraemer, Security Awareness Advocate at the platform KnowBe4, said: “The Electoral Commission must not lose the trust of the electorate. The commission itself as well as the ICO are well aware of that. This must be a cautionary tale for all future elections and presumably has been one for every election held since. Unpatched software is the number two cause of data breaches happening. It will be crucially important to make sure that security basics are covered and to also talk about it so as to rebuild trust. The expected cyber resilience bill is an important step in the right direction.”
