The Electoral Commission of the UK was found lacking in vital cybersecurity measures shortly before falling prey to a cyber intrusion. The breach reportedly allowed attackers to access voter registers containing personal details such as names and addresses, as per BBC’s findings. Alarmingly, the commission had previously been deemed deficient during a Cyber Essentials audit—a standard it has not yet met.
The Cyber Essentials programme, introduced by the UK government in 2014, serves to certify organisations based on certain cybersecurity benchmarks. Organisations are mandated to fulfill a prescribed set of cybersecurity criteria to earn these certifications. Moreover, any entity vying for government contracts that involve managing sensitive personal data must have a current Cyber Essentials certificate.
It was highlighted by the BBC that the Electoral Commission did not pass the Cyber Essentials test in several domains in 2021. One glaring issue was the continued use of around 200 staff laptops with outdated and potentially vulnerable software. Alongside this, the audit pinpointed that the commission staff was utilising old iPhone models that no longer received security patches from Apple.
Despite these findings, the Electoral Commission clarified to the BBC that it didn’t seek the Cyber Essentials certification in 2022. The commission conveyed in a statement, “We constantly strive to enhance our cybersecurity infrastructure and routinely collaborate with the National Cyber Security Centre—like many other public entities—to bolster our defenses against cyber threats.”
In a startling revelation last month, the commission confirmed that its email system was compromised by “malicious entities”, which might have exposed the data of nearly 40 million voters. Disturbingly, even though these attackers had accessed the electoral registers and email system as far back as August 2021, it wasn’t until October 2022 that suspicious login activity brought this breach to light. Details regarding the identity of the intruders or the method of the breach remain undisclosed.
In a statement post the incident, Shaun McNally, the chief executive of the Electoral Commission, admitted to the lapses in their security. He commented, “It’s deeply regrettable that our systems weren’t adequately fortified against such cyber intrusions.” He added, “Upon recognising the breach, we’ve extensively worked alongside experts to fortify the integrity and reliability of our IT infrastructure.”
Adhering to data protection mandates, McNally reported that the Electoral Commission informed the Information Commissioner’s Office (ICO) about the breach within the stipulated 72-hour window.