Cyberattack On U.K. Electoral Commission Was Preventable

A report by the UK’s Information Commissioner’s Office has revealed that a cyberattack on the UK Electoral Commission, resulting in a data breach on 40 million people’s voter register records, could have been prevented if the organization had used basic security measures.

The UK’s Information Commissioner’s Office has accused the Electoral Commission of security failures that led to a massive theft of voter information in August 2021. The Electoral Commission discovered the compromise in October 2022 and disclosed the breach in August 2023, more than a year after the initial breach.

The U.K. government attributed the intrusion to China

Hackers obtained copies of the U.K. electoral registers, which hold voter data from 2014 to 2022, by breaking into servers hosting the Commission’s email.

China denied involvement in the hack, despite the UK government accusing it of using stolen data for espionage and repression of critics and dissidents.

The ICO formally chastised the Electoral Commission on Monday for breaking data protection regulations in the United Kingdom, they added “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.” 

In a short statement released after the report’s release, the Electoral Commission acknowledged that “sufficient protections were not in place to prevent the cyber-attack on the Commission.” 

Two groups of hackers broke into the servers

The ICO accused the Commission of failing to repair software vulnerabilities in its email system, which served as the initial point of intrusion for hackers who stole voter data. The data verifies TechCrunch’s 2023 story that the Commission used a self-hosted Microsoft Exchange server for email.

The ICO reported that malicious hackers broke into the Commission’s Exchange server in 2021 and 2022 using a ProxyShell vulnerability. The hackers gained control and planted malicious code on the server. Microsoft had released patches for ProxyShell in April and May 2021, but the Commission had not installed them.

“The Electoral Commission did not have an appropriate patching regime in place at the time of the incident, This failing is a basic measure.” reported ICO.

The Electoral Commission allowed passwords that were “highly susceptible” to have been guessed, and the Commission acknowledged that it was “aware” that some of its infrastructure was outdated, among other noteworthy security flaws uncovered during the ICO’s inquiry.

Stephen Bonner, ICO deputy commissioner, stated in a statement about the ICO’s report “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.” 

Follow Wat-Not on Facebook, Twitter, and Instagram