ICO reprimands UK Electoral Commission over cyberattack that left voter data exposed
40 million people had their information accessed by hackers
The Information Commissioner's Office (ICO) has reprimanded the UK Electoral Commission (EC) after hackers breached servers containing the personal information of 40 million people.
The attack occurred in August 2021, with the hackers breaching the servers through user impersonation and exploiting known vulnerabilities that had not been patched.
The attackers had access to the systems, which contained names and home addresses, until October 2022, with the hackers accessing the data on multiple occasions during this time.
Lack of appropriate security measures
The ICO’s reprimand stems from a lack of appropriate security measures that should have been in place to protect the personal information of millions of registered voters. Specifically, the vulnerabilities exploited by the attackers were patched in April and May of 2021, but were not applied by the EC..
Moreover, many EC accounts were still using default or weak passwords, likely contributing to the attackers ability to impersonate a user account and gain access to the servers. Following the breach, the EC enacted remedial security improvements and implemented an infrastructure improvement plan, alongside best practices for passwords and multi-factor authentication for all users.
Stephen Bonner, Deputy Commissioner at the ICO, commented on the reprimand stating, “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands.
“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“This action should serve as a reminder to all organisations that you must take proactive and preventative measures to ensure your systems are secure. Do you know if your organisation has installed the latest security updates? If not, then you jeopardise people's personal information and risk enforcement action, including fines,” Bonner concluded.
More from TechRadar Pro
- Here is our guide to the best endpoint protection
- Google admits it accidentally broke its own password manager
- These are the best internet security suites
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.