The UK’s Electoral Commission faced significant cybersecurity failings shortly before a major data breach, where hackers potentially accessed the data of 40 million voters, including sensitive information not available on public registers.
According to a BBC report, the commission failed a Cyber Essentials audit, a UK government-backed scheme launched in 2014 to certify organizations against cybersecurity standards. Any supplier that wants to bid for government contracts that involve the handling of sensitive and personal information or the provision of certain technical products and services will require a Cyber Essentials certificate. However, the commission failed to meet the required standards in several areas during its 2021 certification attempt.
The breach, which remained undetected for over a year, allowed “hostile actors” to gain access to the commission’s emails and voter databases from August 2021 until its discovery in October 2022. The commission has yet to reveal the identity of the attackers or the method of the breach.
Daniel Card, a cybersecurity consultant, mentioned that while it’s too early to determine if the audit failings directly facilitated the hack, such vulnerabilities paint a picture of weak cybersecurity posture and governance. “Early indications are that the hackers managed to get into the email servers a different way, but there’s a chance that the chain of attack may have included one or more of these poorly-secured devices,” Card said.
The National Cyber Security Centre (NCSC), which supports the Cyber Essentials scheme, emphasizes the importance of up-to-date software to prevent known vulnerabilities from being exploited. The NCSC further states that susceptibility to basic attacks can make organizations more attractive targets for cybercriminals.
In response to the breach, Shaun McNally, the Electoral Commission’s chief executive, expressed regret and assured that significant steps have been taken to “improve the security, resilience, and reliability” of their IT systems. The commission also promptly informed the Information Commissioner’s Office (ICO) about the breach, as required by data protection laws.