The UK Electoral Commission has been criticized by the Information Commissioners Office (ICO) for failing to secure personal data, leaving details of up to 40 million voters vulnerable to hackers. The ICO’s investigation revealed that basic security measures, such as password changes and software updates, were not properly implemented, enabling hackers to access sensitive voter information.
The security lapse began in August 2021 when cyber-attackers gained access to computers containing the Electoral Registers, which include detailed personal information of voters, much of which is not publicly accessible. The breach went undetected for over a year and was only discovered when an employee noticed spam emails being sent from the commission’s own email server. The hackers were removed from the system in 2022.
The Electoral Commission has expressed regret over the inadequate protections that failed to prevent the attack. In response to the breach, the commission has implemented changes to enhance its security measures and continues to invest in improving its systems. Despite the breach, the ICO found no evidence that personal data was misused or that any direct harm resulted from the attack.
The ICO’s report highlighted significant security failures, including the lack of timely software updates and poor password management. The hackers exploited known vulnerabilities in the commission’s software—vulnerabilities that had been addressed by updates available prior to the attack. Additionally, investigators found that 178 active email accounts were using outdated passwords set by the IT service desk.
Stephen Bonner, deputy commissioner at the ICO, criticized the Electoral Commission for failing to take basic security precautions. “If the Electoral Commission had implemented basic security measures, it is highly likely the data breach would have been prevented,” Bonner stated. He emphasized that the failure to apply security updates left the systems exposed and vulnerable to attack.
The UK government has formally accused China of being behind the cyber-attack, a claim that has been dismissed by the Chinese embassy as “malicious slander.” The ICO’s findings underscore the need for rigorous cybersecurity practices to protect sensitive personal data from potential breaches.