Basic failures to update software and change passwords have led to the hacking of 40 million electorates’ data by Beijing-linked actors, the UK’s information watchdog has found.
On Tuesday, the Information Commissioner’s Office (ICO) reprimanded the Electoral Commission for not having appropriate security measures in place to protect the personal information it held.
Hackers affiliated with the Chinese regime gained access to the Electoral Commission’s Microsoft Exchange Server in August 2021 by impersonating a user account, using software vulnerabilities that had been known at the time.
The breach was not detected until October 2022. During that time, hackers accessed voters’ personal information including their names and home addresses.
The ICO’s investigation found that security patches addressing the vulnerabilities exploited in the cyber attack had been released in April and May 2021, months before the breach occurred.
At the time, the Electoral Commission also lacked sufficient password policies, meaning many account users never changed their passwords or used passwords only slightly different from those originally allocated by the service desk.
Stephen Bonner, deputy commissioner at the ICO, said it’s “highly likely” that the security breach would have been prevented if it weren’t for those failures.
“The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands.
“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers,” Bonner said.
The hacking of the Electoral Commission affected 40 million voters whose personal information was held on the system.
The deputy commissioner said while the headline figure has “caused considerable public alarm,” there is “no reason to believe any personal data was misused and ”no evidence that any direct harm has been caused by this breach.”
He also said that the Electoral Commission has now taken the necessary steps to improve its security, and urged other organisations to actively take preventative measures to secure their systems.
Responding to the findings, a spokesperson for the Electoral Commission said: “We regret that sufficient protections were not in place to prevent the cyber-attack on the Commission. As the ICO has noted and welcomed, since the attack we have made changes to our approach, systems, and processes to strengthen the security and resilience of our systems and will continue to invest in this area.
“Since the cyber-attack, security and data protection experts—including the ICO, National Cyber Security Centre and third-party specialists—have carefully examined the security measures we have put in place and these measures command their confidence.
“We will continue to ensure our cyber security keeps pace with emerging threats, and remain vigilant to the risks facing our electoral processes and institutions. We will continue to work with the UK’s governments and the wider electoral community to safeguard the safety of the system.”
In March, the government-sanctioned a front company and two individuals involved in CCP-affiliated hacking group APT 31 for the attack on the Electoral Commission and a cyber reconnaissance email campaign targeting parliamentarians.
The sanctions were issued in coordination with the United States.
Officials from Canada, Finland and New Zealand said they had been targeted by the same group.
According to an indictment unsealed by the U.S. Department of Justice, hackers had sent 1,000 emails to more than 400 accounts of individuals associated with the Inter-Parliamentary Alliance on China, an alliance of 47 UK parliamentarians and over 200 lawmakers from other legislatures on six continents, which was founded in 2020 in response to the challenge posed by the Chinese communist regime.
