The lack of "basic" security measures allowed hackers to access a database containing the personal records of millions of UK voters, the country’s data privacy watchdog has said.
The Information Commissioner’s Office (ICO) has issued a formal reprimand to the Electoral Commission, which oversees the elections in the UK, for leaving the records of 40 million voters “vulnerable to hackers.”
The hackers first accessed the Electoral Register that stores personal voter information in August 2021 and maintained access for more than a year – until October 2022. The exposed data included voters’ names and home addresses.
The threat actors accessed the system by impersonating a user account and exploiting a known software vulnerability that had not been patched, despite a security update addressing the issue being released months prior.
According to the ICO, the servers were accessed on several occasions without the Electoral Commission’s knowledge. The Electoral Commission said it regretted that sufficient protections were not put in place to prevent the cyberattack.
“As the ICO has noted and welcomed, since the attack we have made changes to our approach, systems, and processes to strengthen the security and resilience of our systems and will continue to invest in this area,” it said in a statement.
While an “unacceptably high” number of people were affected by the breach, the ICO said it had no reason to believe any personal data was misused. It said it found no evidence of any direct harm as a result of the breach.
“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened,” said Stephen Bonner, deputy commissioner at the ICO.
“By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers,” he said, adding that this should “serve as a reminder” to all organizations to secure their systems.
The UK government formally accused China for the “malicious” attack and imposed sanctions on two individuals and a company as a result earlier this year. The Chinese embassy in the UK said the accusations were “completely unfounded” and amounted to “malicious slander.”
In July, the ICO also reprimanded London Borough of Hackney for a 2020 cyberattack that affected 280,000 residents. It said that the attack was a result of the “failure” to implement security measures.
Your email address will not be published. Required fields are markedmarked