UK election body failed cybersecurity test before hack


The United Kingdom Electoral Commission failed a basic cybersecurity test at around the same time it was hacked, a whistleblower revealed to the BBC. Experts are worried.

The commission has previously disclosed a data breach that exposed the personal details of anybody who was registered to vote in the country between 2014 and 2022. That’s around 40 million voters.

Now, a whistleblower has told the BBC that the commission was given an automatic fail during a Cyber Essentials audit, which, in essence, was a cybersecurity test. The commission confirmed the claim and said that it had still not passed the test.

According to the BBC, in the same month that hackers were breaking into the organization, the commission was told by cybersecurity auditors that it was not compliant with the Cyber Essentials scheme.

A spokeswoman for the Electoral Commission admitted the failings to the BBC but claims they weren't linked to the cyber-attack that impacted email servers.

Cybersecurity experts say they’re concerned. Andrew Rose, a resident chief information security officer at Proofpoint, a cybersecurity and compliance company, said that the breach and the failure to pass the audit was a “stark reminder” that cyber defenses at all public and private organizations need to be reinforced.

“It’s evident that cybercriminals were taking full advantage of the electoral system’s vulnerable, decentralized structure in order to gain access to as much information as possible,” said Rose.

“While we cannot be certain of their motive, what they learned, or what the attacker was truly seeking, in this instance, the attackers had access to the electoral systems for a number of months, indicating they were in search of something other than quick financial gain, which is the most common motive of attacks. The longer an attacker stays undetected in a network – the more damage they can do.”

When the hack was announced, the Electoral Commission said that the data hacked from the full electoral register was "largely in the public domain."

“We don’t know how this data might be used, but according to the risk assessment used by the Information Commissioner’s Office, the personal data held on electoral registers, typically name and address, does not in itself present a high risk to individuals,” the commission said in August.

But the attackers – it’s not yet clear who was responsible for the intrusion – could now potentially spread disinformation to the 40 million UK citizens in the database and “amplify disharmony,” said Rose.

“They can also manipulate the information within these systems in order to create distrust by calling to question the authenticity and accuracy of voter data or even, in a worst case, votes themselves,” he added.