The UK Information Commissioner’s Office (ICO) has reprimanded the Electoral Commission for basic security failings that exposed personal data belonging to 40 million voters.
Two years ago, hackers successfully accessed the Electoral Commission’s Microsoft Exchange Server by impersonating a user account and exploiting known software vulnerabilities in the system.
For more than a year, they had access to the personal information held on the Electoral Register, including names and home addresses - and the servers were accessed on several occasions without the Electoral Commission’s knowledge.
The attack was widely attributed to Chinese state-sponsored attackers.
Following an investigation into the matter, the ICO found the Electoral Commission didn't have appropriate security measures in place to protect the personal information it was holding.
In particular, the watchdog said it failed to keep servers up to date with the latest security updates. The security patches for the vulnerabilities exploited in the cyber attack were released in April and May 2021, months before the attack.
Meanwhile, the Electoral Commission also had inadequate password policies in place, according to the ICO, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk.
"If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers," said Stephen Bonner, deputy commissioner at the ICO.
"I know the headline figures of 40 million people affected caused considerable public alarm when news of this breach emerged last year. I want to reassure the public that while an unacceptably high number of people were impacted, we have no reason to believe any personal data was misused and we have found no evidence that any direct harm has been caused by this breach."
The Electoral Commission has since taken steps to improve its security, including implementing a plan to modernize its infrastructure, as well as password policy controls and multi-factor authentication for all users.
But BCS fellow Dan Card said the breach shouldn't come as a surprise.
"This scenario isn't even an edge case — it reflects the state of a significant number of organizations, including some critical national infrastructure," he said.
"Reports indicate that the threat actors exploited ProxyShell, a vulnerability that was extensively discussed and addressed within the cybersecurity community. The organization's failure to act promptly is a glaring oversight, compounding the severity of the other findings."
