Security News > 2024 > July > UK Electoral Commission slapped for basic cybersecurity fails

The UK's Electoral Commission has received a formal slap on the wrist for a litany of security failings that led to the theft of personal data belonging to around 40 million voters.

Official documents from the Information Commissioner's Office say the people responsible for the 2021 cyberattack on the Electoral Commission's Microsoft Exchange Server are unknown.

Among the failings that led to the attack, and the 13 months it took the Electoral Commission to detect any malicious activity, was an ineffective patching regime that failed to identify multiple vulnerabilities, including ProxyShell, which facilitated the data breach.

The key takeaways are that Chinese state-sponsored attackers had access to around 40 million UK voters' names and home addresses for 13 months without being detected, and that's all due to insufficient basic security controls at the Electoral Commission.

"Stephen Bonner, deputy commissioner at the ICO, said:"The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands.

The ICO acknowledged that since the incident unfolded, the Electoral Commission has made remedial steps forward, bolstering its security measures in line with what's expected by UK legislation, and implementing an infrastructure modernization plan.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/07/31/uk_electoral_commission_ico/