ICO reprimands UK Electoral Commission over cyberattack that left voter data exposed

News
By published

40 million people had their information accessed by hackers

Hand of a person casting a vote into the ballot box during elections
(Image credit: Shutterstock / roibu)

The Information Commissioner's Office (ICO) has reprimanded the UK Electoral Commission (EC) after hackers breached servers containing the personal information of 40 million people.

The attack occurred in August 2021, with the hackers breaching the servers through user impersonation and exploiting known vulnerabilities that had not been patched.

The attackers had access to the systems, which contained names and home addresses, until October 2022, with the hackers accessing the data on multiple occasions during this time.

Lack of appropriate security measures

The ICO’s reprimand stems from a lack of appropriate security measures that should have been in place to protect the personal information of millions of registered voters. Specifically, the vulnerabilities exploited by the attackers were patched in April and May of 2021, but were not applied by the EC..

Moreover, many EC accounts were still using default or weak passwords, likely contributing to the attackers ability to impersonate a user account and gain access to the servers. Following the breach, the EC enacted remedial security improvements and implemented an infrastructure improvement plan, alongside best practices for passwords and multi-factor authentication for all users.

Stephen Bonner, Deputy Commissioner at the ICO, commented on the reprimand stating, “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands.

“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.”

“This action should serve as a reminder to all organisations that you must take proactive and preventative measures to ensure your systems are secure. Do you know if your organisation has installed the latest security updates? If not, then you jeopardise people's personal information and risk enforcement action, including fines,” Bonner concluded.

More from TechRadar Pro

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.