Primary safety failings allowed hackers to entry the private particulars of 40 million British voters held by the UK’s Electoral Fee (EC), the Data Commissioner’s Workplace (ICO) has discovered.
Following an investigation into the August 2021 knowledge breach, the ICO discovered that the Electoral Fee didn’t have applicable safety measures in place to guard the private data it held.
The regulator revealed the attackers efficiently accessed the Fee’s Microsoft Trade Server by impersonating a consumer account and exploiting recognized software program vulnerabilities within the system that had not been secured.
These flaws had been within the ProxyShell vulnerability chain, and the attackers had been capable of create internet shells on the system.
Electoral Fee Did not Defend Voter Information
Whereas cybercriminals had accessed the EC’s techniques in August 2021, it was not till October 2022 {that a} knowledge breach was detected.
The breach was recognized when an worker reported that spam emails had been being despatched from The Electoral Fee’s Trade Server, resulting in the invention of malware. The Trade Server was then shut down and scrubbed earlier than being restarted.
Earlier than detection occurred, the menace actors had entry to private data held on the Electoral Register on a number of events with out the Fee’s data.
This included the private knowledge of anybody within the UK who was registered to vote between 2014 and 2022.
The Fee publicly revealed the breach in August 2023, describing it as a “advanced cyber-attack.”
The UK authorities subsequently attributed the assault to China state-affiliated menace actors in March 2024.
The ICO recognized a number of “fundamental” safety failings by the Fee that allowed the assault to happen:
- Not guaranteeing its servers had been saved updated with the newest safety updates, with patches for the exploited vulnerabilities launched in April and Might 2021
- Applicable password administration insurance policies weren’t in place on the time of the incident, with one of many compromised accounts nonetheless utilizing a password which was allotted to the account upon creation
Stephen Bonner, Deputy Commissioner on the ICO, commented: “The Electoral Fee handles the private data of thousands and thousands of individuals, all of whom count on their knowledge to be in secure arms.”
“If the Electoral Fee had taken fundamental steps to guard its techniques, reminiscent of efficient safety patching and password administration, it’s extremely doubtless that this knowledge breach wouldn’t have occurred. By not putting in the newest safety updates promptly, its techniques had been left uncovered and susceptible to hackers,” Bonner added.
In September 2023, the Fee admitted to failing an important cybersecurity take a look at on the identical time that hackers breached its techniques.
No Proof of Information Misuse
Bonner reassured the general public that regardless of the “unacceptably excessive” variety of folks impacted by the breach, there is no such thing as a proof that any private knowledge was misused or that any direct hurt has been brought about.
The ICO additionally acknowledged that the Fee has taken a number of remedial steps to enhance their safety following the assault. This consists of implementing a expertise modernization plan, creating password coverage controls inside their Lively Listing and imposing multi-factor authentication (MFA) for all customers.
Bonner added: “This motion ought to function a reminder to all organizations that you have to take proactive and preventative measures to make sure your techniques are safe. Have you learnt in case your group has put in the newest safety updates? If not, then you definately jeopardize folks’s private data and threat enforcement motion, together with fines.”
Learn now: ICO Reprimands London Council for Mass Information Breach
/cdn.vox-cdn.com/uploads/chorus_asset/file/25551815/Leonardo_homepage.png "Canva adds a new generative AI platform to its growing creative empire")
