The U.K. Electoral Commission could have avoided a significant cybersecurity incident, which led to the unauthorized access of voter information for 40 million individuals, if it had implemented fundamental security precautions. This was the conclusion of a critical report unveiled by the U.K.’s data protection agency this week.
The investigation conducted by the Information Commissioner’s Office identified that the Electoral Commission, responsible for maintaining the U.K.’s voter lists, did not deploy adequate security measures, leading to the widespread theft of voter records starting in August 2021.
It was not until October 2022 that the Electoral Commission detected the breach in its systems, and it waited until August 2023 to make a public announcement about the year-long data compromise.
Upon disclosure, the Electoral Commission reported that attackers had accessed its servers, extracting U.K. electoral register information, among other things. This register contained details on voters registered from 2014 to 2022, including names, addresses, phone numbers, and other private information.
The U.K. authorities later linked the cyber intrusion to Chinese actors, with high-ranking officials noting the potential use of the stolen data for “extensive espionage and the transnational suppression against dissidents and critics within the U.K.” China has refuted these allegations.
On Monday, the ICO censured the Electoral Commission for breaching U.K. data protection laws, stating, “Had the Electoral Commission adopted straightforward protective measures like proper security updating and password protocols, this data breach could likely have been averted.”
Following the publication of the ICO’s report, the Electoral Commission acknowledged in a succinct statement that it had failed to establish the necessary safeguards against such a cyberattack.
The specific causes of the vast data exposure of millions of U.K. citizens were unclear until the ICO’s findings were made public.
Further insights from the ICO pinpointed the failure of the Commission to address “known software vulnerabilities” on its email server, which hackers exploited to access and exfiltrate voter data. A 2023 report by TechCrunch also revealed this server was a self-hosted Microsoft Exchange server.
The ICO report confirmed that from 2021 to 2022, at least two cybercriminal groups penetrated the Commission’s Microsoft Exchange server via a series of three flaws, known as ProxyShell, allowing them to gain control and insert malicious code.
Microsoft had issued fixes for the ProxyShell vulnerabilities in April and May of 2021, but the Commission had not applied these patches.
By August 2021, the U.S. cybersecurity body CISA issued a warning regarding the active exploitation of ProxyShell. By then, entities with a robust security patching procedure had already safeguarded their systems—an action the Electoral Commission failed to take.
“The absence of a suitable patching system at the time of the breach was a fundamental flaw,” stated the ICO’s report.
The ICO’s examination also found the Electoral Commission’s password policies to be extremely susceptible to brute-forcing and acknowledged an outdated infrastructure which the Commission was aware of.
Stephen Bonner, ICO Deputy Commissioner, emphasized that a basic protocol for system protection, including updates and password management, would likely have prevented the breach.
Why wasn’t the Electoral Commission fined by the ICO?
Despite the severity of a cybersecurity lapse exposing the details of 40 million voters, the Electoral Commission only received a formal caution instead of a financial penalty. This light touch reflects the ICO’s recent move towards a more lenient enforcement stance towards public entities.
Although public bodies have historically faced financial repercussions for data protection infringements, a change in policy announced by the ICO in June 2022 under the previous government administration indicated a two-year period during which penalties would be less likely, focusing instead on investigations and reprimands.
Information Commissioner John Edwards, in an open letter, explained the rationale behind this approach, suggesting that fines were not as effective in the public sector due to their impact on budgets and services rather than on individual actors.
The Electoral Commission’s discovery of its breach came during the ICO’s trial of this softer enforcement method. The trial emphasizes outreach and preventive measures over punitive actions to enhance data protection practices within public sector organizations.
However, the breach underscores challenging questions regarding the efficacy of the ICO’s lenient policy and whether public authorities are upholding their part in improving data protection standards.
Although the ICO determined not to levy a fine in this instance, citing the lack of evidence of data misuse and the Electoral Commission’s subsequent steps to fortify its cybersecurity measures, the incident remains a critical lesson in the importance of up-to-date security practices for preventing data breaches.
The future of the ICO’s enforcement policy, particularly whether it will revert to imposing stricter fines for data breaches within the public sector, is under review as the two-year trial nears its conclusion.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
