UK Electoral Commission slapped for basic cybersecurity fails

The UK's Electoral Commission has received a formal slap on the wrist for a litany of security failings that led to the theft of personal data belonging to around 40 million voters.

Official documents from the Information Commissioner's Office (ICO) say the people responsible for the 2021 cyberattack on the Electoral Commission's Microsoft Exchange Server are unknown. However, the UK officially pinned these attacks on China earlier this year.

Among the failings that led to the attack, and the 13 months it took the Electoral Commission to detect any malicious activity, was an ineffective patching regime that failed to identify multiple vulnerabilities, including ProxyShell, which facilitated the data breach.

Defenders reading this will probably remember that Microsoft issued patches for ProxyShell in March and April 2021, months before the attack actually began.

The Commission was also found guilty of using default passwords and failing to deploy appropriate password management policies across the organization.

Following a post-incident audit of passwords at the body, 178 were cracked in "rapid" time because they were identical or similar to those issued when the accounts were created, the ICO's formal reprimand [PDF] states.

"This failing is a basic measure that we would expect to see implemented in any organization processing personal data – regardless of potential severity of risk or size of organization," it reads.

An ICO reprimand is a formal expression of the watchdog's disapproval of a given data protection practice. They are increasingly being favored when deciding punishments, especially for public sector organizations. It's the ICO's view that issuing the heavy fines that are often envisaged with the UK GDPR isn't the best course of action with organizations that are already strapped for cash.

The move to favor reprimands was brought in by Information Commissioner John Edwards in 2022 and these contain guidance on where organizations that fall foul of data protection law can improve.

Following the initial compromise of the Electoral Commission's Exchange server on August 24, 2021, the attackers deployed web shells for persistent remote control that were later accessed on a number of other occasions up until August 2, 2022.

Some key details included in the full reprimand are redacted, such as the names of individuals and organizations involved in the cleanup, and the name of a malware payload that was deployed in March 2022.

The key takeaways, however, are that Chinese state-sponsored attackers had access to around 40 million UK voters' names and home addresses for 13 months without being detected, and that's all due to insufficient basic security controls at the Electoral Commission.

Stephen Bonner, deputy commissioner at the ICO, said: "The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands.

"If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.

"I know the headline figures of 40 million people affected caused considerable public alarm when news of this breach emerged last year. I want to reassure the public that while an unacceptably high number of people were impacted, we have no reason to believe any personal data was misused and we have found no evidence that any direct harm has been caused by this breach. The Electoral Commission has now taken the necessary steps to improve its security.

• UK opens investigation of MoD payroll contractor after confirming attack
• UK elections are unaffected by China's cyber-interference, says deputy PM
• US charges Chinese nationals with cyber-spying on pretty much everyone for Beijing
• Electoral Commission had internet-facing server with unpatched vuln

"This action should serve as a reminder to all organizations that you must take proactive and preventative measures to ensure your systems are secure. Do you know if your organization has installed the latest security updates? If not, then you jeopardize people's personal information and risk enforcement action, including fines."

Essential improvements

The ICO acknowledged that since the incident unfolded, the Electoral Commission has made remedial steps forward, bolstering its security measures in line with what's expected by UK legislation, and implementing an infrastructure modernization plan.

Asked for a response to the reprimand, the Electoral Commission also highlighted the improvements it made but fell short of actually apologizing for its flagrant shortcomings.

A spokesperson said: "We regret that sufficient protections were not in place to prevent the cyberattack on the Commission. As the ICO has noted and welcomed, since the attack we have made changes to our approach, systems, and processes to strengthen the security and resilience of our systems and will continue to invest in this area.

"Since the cyberattack, security, and data protection experts – including the ICO, National Cyber Security Centre, and third-party specialists – have carefully examined the security measures we have put in place and these measures command their confidence.

"We will continue to ensure our cybersecurity keeps pace with emerging threats, and remain vigilant to the risks facing our electoral processes and institutions. We will continue to work with the UK's governments and the wider electoral community to safeguard the safety of the system." ®