An investigation led by the Information Commissioner’s Office has found that The Electoral Commission could likely have prevented a significant attack if patches and adequate password policies had been implemented
The UK’s elections regulator has been formally reprimanded over a data breach that compromised the personal data of 40 million citizens – but could likely have been prevented by “basic” security measures, according to the Information Commissioner’s Office.
Last summer, The Electoral Commission revealed that it had suffered a cyberattack in which intruders went undetected for more than a year before being discovered in October 2022. During this time, attackers accessed the commission’s internal email systems and servers hosting the national electoral register, which include details of the names and home addresses of 40 million individuals.
Ministers later pinned the attack on “China state-affiliated cyber actor”, and claimed it was part of a wider programme of “malicious cyber campaigns” orchestrated by Beijing.
Having concluded its investigation into the breach, the ICO noted that the elections watchdog failed to implement “appropriate security measures” that, in all likelihood, would have prevented the attackers gaining access.
Such measures include ensuring that servers were installed with the latest available security updates; investigators found that “the security patches for the vulnerabilities exploited in the cyberattack were released in April and May 2021, months before the attack” took place in August of that year.
“The Electoral Commission also did not have sufficient password policies in place at the time of the attack, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk,” the ICO said.
The data-protection watchdog acknowledged that, since the attack was discovered, the commission has taken “a number of remedial steps to improve their security… including implementing a plan to modernise their infrastructure, as well as password policy controls and multi-factor authentication for all users”.
But a reprimand has been issued in light of the organisation’s previous failure to take “basic steps”. If these rudimentary measures had been taken, “it is highly likely that this data breach would not have happened”, according to ICO deputy commissioner Stephen Bonner.
For its part, the Electoral Commission expressed “regret that sufficient protections were not in place to prevent the cyberattack”.
“As the ICO has noted and welcomed, since the attack we have made changes to our approach, systems, and processes to strengthen the security and resilience of our systems and will continue to invest in this area,” a spokesperson added. “We will continue to ensure our cyber security keeps pace with emerging threats, and remain vigilant to the risks facing our electoral processes and institutions. We will continue to work with the UK’s governments and the wider electoral community to safeguard the safety of the system.”
Related content
- King’s Speech: New laws propose ICO reform and mandatory ransomware reporting
- ICO issues data protection warning over domestic abuse victims after DWP and local councils reprimanded
- ICO: Instead of massive fines, regulation works best when we work alongside organisations
According to the ICO’s Bonner, the commission “handles the personal information of millions of people, all of whom expect their data to be in safe hands”.
“I know the headline figures of 40 million people affected caused considerable public alarm when news of this breach emerged last year,” he said. “I want to reassure the public that while an unacceptably high number of people were impacted, we have no reason to believe any personal data was misused and we have found no evidence that any direct harm has been caused by this breach. The Electoral Commission has now taken the necessary steps to improve its security.”
Bonner added: “This action should serve as a reminder to all organisations that you must take proactive and preventative measures to ensure your systems are secure. Do you know if your organisation has installed the latest security updates? If not, then you jeopardise people’s personal information and risk enforcement action, including fines.”
For the past two years, the ICO has been piloting a new approach to working with the public sector – in which fines have largely been avoided, in favour of working with public bodies to try and raise standards of data protection. The trial’s two-year lifespan has now come to an end, but the approach will remain in place while a review of its impact and efficacy takes place.
In an interview with PublicTechnology last year, about 15 months into the trial period – Bonner said that the regulator would be “good scientists” in assessing the impact of the revised approach and its efficacy going forward.
But he added that the – anecdotal – evidence so far had suggested that, without the spectre of financial losses looming over every mistake, organisations has been less likely to take an approach of “how do we avoid the fine, rather than how do we get to a good outcome?”.
“It also shows we understand the pressures they’re under and recognise that funding may be very tight, and therefore things that might impact on that funding further may not be the most effective use of resources,” Bonner said. “Instead: can we get them to the outcome that they need? And can they then help others to do that? Because it’s not just cooperation with us – it’s cooperation with the ecosystem, to raise standards everywhere. That is vital. And cover-ups don’t help anyone.”
wonderful post, very informative. I wonder why the other experts of this sector don’t notice this. You must continue your writing. I am sure, you’ve a huge readers’ base already!