A major cybersecurity breach at the UK’s Electoral Commission exposed the personal details of millions of voters, leading to a formal reprimand from the Information Commissioner’s Office. Here’s the full story.
40 Million Voters Exposed
Due to vulnerabilities in the Electoral Commission’s systems, the personal details of approximately 40 million UK voters were exposed to hackers.
Year-Long Undetected Hack
The hack, which began in August 2021 and went undetected for over a year, was attributed to inadequate security measures, including outdated software which allowed the hackers to exploit known weaknesses and weak passwords used by staff, some of which were unchanged from the default passwords used by the Electoral Commissions IT department.
Formal Reprimand Issued
In an unprecedented move, the incident has led to a formal reprimand from the Information Commissioner’s Office (ICO), which first detected the hack, and led to accusations that the Electoral Commission had left the personal details of millions of citizens “exposed and vulnerable to hackers.”
Infiltration Not Immediately Detected
Incredibly, the cybersecurity attack on the Electoral Commission was not detected immediately. Hackers managed to sneak into the Commission’s systems in August 2021, but their infiltration was not detected for over a year.
Spam Emails as Clue
It fell to a lone employee to notice that the system had been hacked after an unnamed worker noticed that spam emails were being sent from the Commission’s email server. The security breach finally came to light once this was brought to the attention of the employee’s higher-ups.
Unfettered Access to Data
However, between the 2021 hack and the intruders’ final expulsion in 2022, the hackers could access the personal details of all the voters in the electoral register at their leisure.
Critical Vulnerabilities Found
The ICO’s investigation revealed several critical vulnerabilities that facilitated the breach. Key among these was the Commission’s failure to update its servers and software with security patches that had been available for months before the attack.
Weak Passwords Exposed
The investigation also found that the Commission did not have a password policy. Many staff members were still using default passwords set by the IT service desk, the technical equivalent of using “password” as your password, which, after being discovered by the hackers, allowed them unfettered access to the system.
Damning Public Indictment
In a damning public indictment, Stephen Bonner, Deputy Commissioner at the ICO, stated, “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands.”
Basic Steps Ignored
He added, “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.”
Chinese Hackers Accused
In the aftermath of the unprecedented breach, the UK government formally accused Chinese state-affiliated hackers of orchestrating the “malicious” cyber-attack, a claim the Chinese embassy promptly rejected.
Embassy Denies Allegations
At the time, a spokesperson for the Chinese embassy stated, “The UK’s hype-up of the so-called ‘Chinese cyber attacks’ without basis and the announcement of sanctions is outright political manipulation and malicious slander. We have no interest or need to meddle in the UK’s internal affairs.”
Government Maintains Stance
Despite the denial, the government has maintained its stance on the alleged involvement of Chinese actors in the cyber-attack.
No Evidence of Misuse
In a stroke of good luck for the Electoral Commission, despite the sheer scale of the previously undetected breach, the ICO found no evidence that exposed personal data was misused or that any direct harm resulted from the attack.
Commission Regrets Lapses
In response to the ICO’s findings, an Electoral Commission spokesperson stated, “We regret that sufficient protections were not in place to prevent the cyber attack on the commission.”
Security Measures Improved
They added that the Commission had since made significant changes to its approach, systems, and processes to bolster the security and resilience of its IT infrastructure. These changes have reportedly been implemented in consultation with cybersecurity experts, including those from the ICO.
Severe Vulnerabilities Highlighted
The cybersecurity breach that exposed the personal details of millions of UK voters has highlighted severe vulnerabilities in the Electoral Commission’s systems.
Lengthy Detection Time Concerning
These vulnerabilities are all the more concerning due to the information available to the Commission and the sheer length of time that passed before the breach was detected.
Need for Increased Awareness
In an age of cybersecurity threats and increased hostile actions from online adversaries, the need for increased awareness of the many and varied online security threats is becoming more evident.
Future Security Uncertain
It remains to be seen whether the new security measures implemented by the Electoral Commission will be enough to prevent similar breaches in the future.
Russia Retreats as Western Allies Greenlight Ukraine’s Offensive
Recent Russian territorial gains in Ukraine could be reversed following a dramatic policy change from the US and Germany. The announcement could see a substantial tactical shift from both sides in the coming months. Russia Retreats as Western Allies Greenlight Ukraine’s Offensive
21 Lies You’ve Been Told About the British Royal Family
Ever thought you had the British Royal Family all figured out? Think again! From their powers and privileges to their personal lives, there are plenty of misconceptions floating around. Let’s dive into the myths and uncover the truths that might just surprise you. 21 Lies You’ve Been Told About the British Royal Family
18 Nations Tired of British Tourists
British tourists are known for their high spirits and adventurous nature, but not all countries appreciate their presence. Here’s a candid look at 18 countries where British tourists might not be as welcome as they think. 18 Nations Tired of British Tourists
Featured Image Credit: Shutterstock / Pukka TV.