Hackers gained access to the UK Electoral Register, compromising 40 million UK voters’ personal records.
The Information Commissioner’s Office (ICO) issued a formal reprimand, pointing fingers at the Electoral Commission for having extremely slack security measures that allowed hackers easy access to sensitive databases. The result has put voters at risk of having their data exposed online.
The attack wasn’t the result of sophisticated malware or investigation using the latest cybersecurity tools. Instead, it was due to the company’s security systems not being updated to the proper security patch. The attack was caused by sheer negligence.
Because of this, hackers were able to gain administrative access by impersonating a user account using a known vulnerability that had already been fixed in one of the recent patch notes for the company’s security software. From 2021 to 2022 they had access to the Electoral Register and could view users’ full names, addresses, and voting history.
“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened,” explains a deputy commissioner with the ICO. “By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.”
The ICO reassures affected voters that there is no evidence that the stolen data is being used to harm them. They do not currently believe that the hackers have any reason to misuse the data. It’s also possible that the data wasn’t scraped.
The company has also taken steps to maintain better security standards, including using better cybersecurity software and taking more care to promote internal security standards.
“As the ICO has noted and welcomed, since the attack we have made changes to our approach, systems, and processes to strengthen the security and resilience of our systems and will continue to invest in this area,” the Electoral Commission explains in a recent statement.