Basic security failings allowed hackers to access the personal details of 40 million British voters held by the UK’s Electoral Commission (EC), the Information Commissioner’s Office (ICO) has found.
Following an investigation into the August 2021 data breach, the ICO found that the Electoral Commission did not have appropriate security measures in place to protect the personal information it held.
The regulator revealed the attackers successfully accessed the Commission’s Microsoft Exchange Server by impersonating a user account and exploiting known software vulnerabilities in the system that had not been secured.
These flaws were in the ProxyShell vulnerability chain, and the attackers were able to create web shells on the system.
Electoral Commission Failed to Protect Voter Data
While cybercriminals had accessed the EC’s systems in August 2021, it was not until October 2022 that a data breach was detected.
The breach was identified when an employee reported that spam emails were being sent from The Electoral Commission's Exchange Server, leading to the discovery of malware. The Exchange Server was then shut down and scrubbed before being restarted.
Before detection occurred, the threat actors had access to personal information held on the Electoral Register on several occasions without the Commission’s knowledge.
This included the personal data of anyone in the UK who was registered to vote between 2014 and 2022.
The Commission publicly revealed the breach in August 2023, describing it as a “complex cyber-attack.”
The UK government subsequently attributed the attack to China state-affiliated threat actors in March 2024.
The ICO identified several “basic” security failings by the Commission that allowed the attack to occur:
- Not ensuring its servers were kept up to date with the latest security updates, with patches for the exploited vulnerabilities released in April and May 2021
- Appropriate password management policies were not in place at the time of the incident, with one of the compromised accounts still using a password which was allocated to the account upon creation
Stephen Bonner, Deputy Commissioner at the ICO, commented: “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands.”
“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers,” Bonner added.
In September 2023, the Commission admitted to failing a crucial cybersecurity test at the same time that hackers breached its systems.
No Evidence of Data Misuse
Bonner reassured the public that despite the “unacceptably high” number of people impacted by the breach, there is no evidence that any personal data was misused or that any direct harm has been caused.
The ICO also acknowledged that the Commission has taken several remedial steps to improve their security following the attack. This includes implementing a technology modernization plan, developing password policy controls within their Active Directory and enforcing multi-factor authentication (MFA) for all users.
Bonner added: “This action should serve as a reminder to all organizations that you must take proactive and preventative measures to ensure your systems are secure. Do you know if your organization has installed the latest security updates? If not, then you jeopardize people's personal information and risk enforcement action, including fines.”
Read now: ICO Reprimands London Council for Mass Data Breach