ICO reprimands elections watchdog after cyber attack compromised servers

The Information Commissioner’s Office (ICO) has issued a reprimand to the Electoral Commission after hackers gained access to servers that contained the personal information of approximately 40 million people.

In August 2021, hackers accessed the Electoral Commission’s Microsoft Exchange Server by impersonating a user account and exploiting known software vulnerabilities in the system that had not been secured, the ICO said. 

Until October 2022 the attackers had access to the personal information held on the Electoral Register, including names and home addresses. The servers were accessed on several occasions without the Electoral Commission’s knowledge.

The ICO’s investigation found that the Electoral Commission did not have appropriate security measures in place to protect the personal information it held.

In particular, it did not ensure its servers were kept up to date with the latest security updates. The security patches for the vulnerabilities exploited in the cyber attack were released in April and May 2021, “months before the attack”.

The Electoral Commission also did not have sufficient password policies in place at the time of the attack, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk. 

Stephen Bonner, Deputy Commissioner at the ICO, said: “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands. 

“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers. 

“I know the headline figures of 40 million people affected caused considerable public alarm when news of this breach emerged last year. I want to reassure the public that while an unacceptably high number of people were impacted, we have no reason to believe any personal data was misused and we have found no evidence that any direct harm has been caused by this breach. The Electoral Commission has now taken the necessary steps to improve its security.”

Bonner added: “This action should serve as a reminder to all organisations that you must take proactive and preventative measures to ensure your systems are secure. Do you know if your organisation has installed the latest security updates? If not, then you jeopardise people's personal information and risk enforcement action, including fines.”  

The Electoral Commission has taken a number of remedial steps to improve its security following the attack, including implementing a plan to modernise its infrastructure, as well as password policy controls and multi-factor authentication for all users. 

Responding to the issue of the reprimand, an Electoral Commission spokesperson said: “We regret that sufficient protections were not in place to prevent the cyber-attack on the Commission. As the ICO has noted and welcomed, since the attack we have made changes to our approach, systems, and processes to strengthen the security and resilience of our systems and will continue to invest in this area. 

“Since the cyber-attack, security and data protection experts – including the ICO, National Cyber Security Centre and third-party specialists – have carefully examined the security measures we have put in place and these measures command their confidence.  

“We will continue to ensure our cyber security keeps pace with emerging threats, and remain vigilant to the risks facing our electoral processes and institutions. We will continue to work with the UK’s governments and the wider electoral community to safeguard the safety of the system.” 

The Electoral Commission stressed that the data accessed when the attack took place does not impact how people register, vote, or participate in democratic processes. It also has no impact on the management of the electoral registers or on the running of elections.