A cyberattack on the U.Ok. Electoral Commission that resulted within the knowledge breach of voter register information on 40 million individuals was totally preventable had the group used primary safety measures, in line with the findings from a damning report by the U.Ok.’s knowledge safety watchdog revealed this week.
The report revealed by the U.Ok.’s Information Commissioner’s Office on Monday blamed the Electoral Commission, which maintains copies of the U.Ok. register of residents eligible to vote in elections, for a sequence of safety failings that led to the mass theft of voter info starting August 2021.
The Electoral Commission didn’t uncover the compromise of its programs till greater than a 12 months later in October 2022 and took till August 2023 to publicly disclose the year-long knowledge breach.
The Commission mentioned on the time of public disclosure that the hackers broke into servers containing its electronic mail and stole, amongst different issues, copies of the U.Ok. electoral registers. Those registers retailer info on voters who registered between 2014 and 2022, and embody names, postal addresses, telephone numbers and nonpublic voter info.
The U.Ok. authorities later attributed the intrusion to China, with senior officers warning that the stolen knowledge could possibly be used for “large-scale espionage and transnational repression of perceived dissidents and critics in the U.K.” China denied involvement within the breach.
The ICO issued its formal rebuke of the Electoral Commission on Monday for violating U.Ok. knowledge safety legal guidelines, including: “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.”
For its half, the Electoral Commission conceded in a quick assertion following the report’s publication that “sufficient protections were not in place to prevent the cyber-attack on the Commission.”
Until the ICO’s report, it wasn’t clear precisely what led to the compromise of tens of thousands and thousands of U.Ok. voters’ info — or what might have been carried out otherwise.
Now we all know that the ICO particularly blamed the Commission for not patching “known software vulnerabilities” in its electronic mail server, which was the preliminary level of intrusion for the hackers who made off with reams of voter knowledge. The report additionally confirms a element as reported by TechCrunch in 2023 that the Commission’s electronic mail was a self-hosted Microsoft Exchange server.
In its report, the ICO confirmed that at the very least two teams of malicious hackers broke into the Commission’s self-hosted Exchange server throughout 2021 and 2022 utilizing a series of three vulnerabilities collectively known as ProxyShell, which allowed the hackers to interrupt in, take management, and plant malicious code on the server.
Microsoft launched patches for ProxyShell a number of months earlier in April and May 2021, however the Commission had not put in them.
By August 2021, U.S. cybersecurity company CISA started sounding the alarm that malicious hackers have been actively exploiting ProxyShell, at which level any group that had an efficient safety patching course of in place had already rolled out fixes months in the past and have been already protected. The Electoral Commission was not a kind of organizations.
“The Electoral Commission did not have an appropriate patching regime in place at the time of the incident,” learn the ICO’s report. “This failing is a basic measure.”
Among the opposite notable safety points found in the course of the ICO’s investigation, the Electoral Commission allowed passwords that have been “highly susceptible” to have been guessed, and that the Commission confirmed it was “aware” that elements of its infrastructure have been outdated.
ICO deputy commissioner Stephen Bonner mentioned in a press release on the ICO’s report and reprimand: “If the Electoral Commission had taken primary steps…
