The UK’s Electoral Commission has admitted to failing a crucial cybersecurity test at the same time that hackers breached its systems, compromising the data of 40 million voters.
A whistleblower revealed to the BBC the Commission received an automatic failure during a Cyber Essentials audit.
The breach, which occurred between August 2021 and October 2022, allowed unauthorized access to email correspondence and sensitive voter databases. The breach method and the perpetrators remain unidentified.
Notably, the Commission’s cybersecurity deficiencies, highlighted by its failed audit, potentially contributed to the breach. Auditors cited outdated software on around 200 staff laptops and the use of unsupported iPhones as key reasons for the failed test.
These revelations raise concerns about the Commission’s cybersecurity readiness, especially as the government mandates Cyber Essentials certification for suppliers handling sensitive data.
The UK’s Information Commissioner’s Office (ICO) said he is urgently investigating the implications of the breach for data privacy and security.
Read more about the breach: UK Voters’ Data Exposed in Electoral Commission Cyber-Attack
While the Commission initially downplayed the significance of the breach, saying it was “largely in the public domain,” it impacted data belonging to millions who had opted out of public registers.
“While we cannot be certain of their motive, what they learned, or what the attacker was truly seeking, in this instance, the attackers had access to the electoral systems for a number of months, indicating they were in search of something other than quick financial gain, which is the most common motive of attacks,” explained Andrew Rose, resident CISO at Proofpoint.
“The longer an attacker stays undetected in a network – the more damage they can do. This breach serves as a stark reminder to all public and private organizations to take swift action to reinforce their cyber defenses, making it harder for criminals to get into their systems in the first place and thus preventing this from happening again.”
Surprisingly, the Commission did not reapply for Cyber Essentials certification in 2022, but said it remains committed to improving its cybersecurity measures in collaboration with the National Cyber Security Centre (NCSC). Investigations into the breach continue.