The UK Information Commissioner’s Office (ICO) has reprimanded the Electoral Commission for basic security failings that exposed personal data belonging to 40 million voters.
Two years ago, hackers successfully accessed the Electoral Commission’s Microsoft Exchange Server by impersonating a user account and exploiting known software vulnerabilities in the system.
For more than a year, they had access to the personal information held on the Electoral Register, including names and home addresses - and the servers were accessed on several occasions without the Electoral Commission’s knowledge.
The attack was widely attributed to Chinese state-sponsored attackers.
Following an investigation into the matter, the ICO found the Electoral Commission didn't have appropriate security measures in place to protect the personal information it was holding.
In particular, the watchdog said it failed to keep servers up to date with the latest security updates. The security patches for the vulnerabilities exploited in the cyber attack were released in April and May 2021, months before the attack.
Meanwhile, the Electoral Commission also had inadequate password policies in place, according to the ICO, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk.
"If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers," said Stephen Bonner, deputy commissioner at the ICO.
"I know the headline figures of 40 million people affected caused considerable public alarm when news of this breach emerged last year. I want to reassure the public that while an unacceptably high number of people were impacted, we have no reason to believe any personal data was misused and we have found no evidence that any direct harm has been caused by this breach."
The Electoral Commission has since taken steps to improve its security, including implementing a plan to modernize its infrastructure, as well as password policy controls and multi-factor authentication for all users.
But BCS fellow Dan Card said the breach shouldn't come as a surprise.
RELATED WHITEPAPER
"This scenario isn't even an edge case — it reflects the state of a significant number of organizations, including some critical national infrastructure," he said.
"Reports indicate that the threat actors exploited ProxyShell, a vulnerability that was extensively discussed and addressed within the cybersecurity community. The organization's failure to act promptly is a glaring oversight, compounding the severity of the other findings."
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
-
ICO fines topped $14 million in 2023 amid crackdown by regulator on data protection standardsNews ICO fines across 2023 exceeded £14 million, with TikTok among the worst-hit for data protection violations
