BBC Exposes Gaps in Electoral Commission’s Cyber Defense Ahead of Major Breach

Reading Time: ( Word Count: )

September 5, 2023
Nextdoorsec-course

The Electoral Commission of the UK was found lacking in vital cybersecurity measures shortly before falling prey to a cyber intrusion. The breach reportedly allowed attackers to access voter registers containing personal details such as names and addresses, as per BBC’s findings. Alarmingly, the commission had previously been deemed deficient during a Cyber Essentials audit—a standard it has not yet met.

The Cyber Essentials programme, introduced by the UK government in 2014, serves to certify organisations based on certain cybersecurity benchmarks. Organisations are mandated to fulfill a prescribed set of cybersecurity criteria to earn these certifications. Moreover, any entity vying for government contracts that involve managing sensitive personal data must have a current Cyber Essentials certificate.

It was highlighted by the BBC that the Electoral Commission did not pass the Cyber Essentials test in several domains in 2021. One glaring issue was the continued use of around 200 staff laptops with outdated and potentially vulnerable software. Alongside this, the audit pinpointed that the commission staff was utilising old iPhone models that no longer received security patches from Apple.

Also Read: Freecycle’s Data Breach Affects Over 7 Million Users

BBC Exposes Gaps in Electoral Commission's Cyber Defense

Despite these findings, the Electoral Commission clarified to the BBC that it didn’t seek the Cyber Essentials certification in 2022. The commission conveyed in a statement, “We constantly strive to enhance our cybersecurity infrastructure and routinely collaborate with the National Cyber Security Centre—like many other public entities—to bolster our defenses against cyber threats.”

In a startling revelation last month, the commission confirmed that its email system was compromised by “malicious entities”, which might have exposed the data of nearly 40 million voters. Disturbingly, even though these attackers had accessed the electoral registers and email system as far back as August 2021, it wasn’t until October 2022 that suspicious login activity brought this breach to light. Details regarding the identity of the intruders or the method of the breach remain undisclosed.

In a statement post the incident, Shaun McNally, the chief executive of the Electoral Commission, admitted to the lapses in their security. He commented, “It’s deeply regrettable that our systems weren’t adequately fortified against such cyber intrusions.” He added, “Upon recognising the breach, we’ve extensively worked alongside experts to fortify the integrity and reliability of our IT infrastructure.”

Adhering to data protection mandates, McNally reported that the Electoral Commission informed the Information Commissioner’s Office (ICO) about the breach within the stipulated 72-hour window.

Saher Mahmood

Saher Mahmood

Author

Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *