Technology
How the theft of 40 million UK voter registers could have been completely prevented
The cyberattack on the British Electoral Commission, which led to the breach of 40 million people’s electoral records, could have been entirely prevented if the organisation had put in place basic security measures, based on a devastating report published this week by the UK’s data protection watchdog.
Report published by the UK Information Commissioner’s Office on Monday blamed the Electoral Commission, which holds copies of the UK’s electoral register, for a series of security lapses that led to the mass theft of voter data since August 2021.
The Electoral Commission only discovered the security breach of its systems greater than a yr later, in October 2022, and it took until August 2023 to publicly disclose the year-long data breach.
The commission said at the time of its public disclosure that hackers had breached its email servers and stolen, amongst other things, copies of the UK electoral registers. These registers hold details about voters who registered between 2014 and 2022, and include names, postal addresses, phone numbers and non-public voter information.
UK Government later attributed the incursion to ChinaWith High-ranking officials warn that the stolen data could be used for “wide-scale espionage and international repression of perceived dissidents and critics in the UK.” China has denied any involvement in the security breach.
On Monday, the ICO issued a proper warning to the Electoral Commission for breaching UK data protection laws, adding: “Had the Electoral Commission taken basic steps to protect its systems, such as effective security patching and password management, it is highly unlikely that this data breach would not have occurred.”
The Electoral Commission, for its part, admitted short statement after the report was published, it was found that “insufficient protective measures were not implemented to prevent a cyberattack on the Commission”.
Until the ICO report was released, it was not clear what exactly led to the data of tens of tens of millions of British voters being exposed, or what could have been done otherwise.
We now know that the ICO has blamed the Commission for failing to patch (*40*) on its email server, which was the initial point of entry for hackers who made off with tons of voter data. The report also confirms a detail reported by TechCrunch in 2023 that the Commission’s email was a self-hosted Microsoft Exchange server.
In its report, the ICO confirmed that not less than two groups of malicious hackers breached the Commission’s self-hosted Exchange server in 2021-2022 by exploiting a sequence of three vulnerabilities. collectively known as ProxyShellwhich allowed hackers to interrupt in, take control, and place malicious code on the server.
Microsoft released patches for ProxyShell several months earlier, in April and May 2021, but the Commission didn’t install them.
By August 2021, the U.S. Cybersecurity Agency CISA began to sound the alarm that malicious attackers were actively exploiting ProxyShell, at which point every organization that had an efficient security patching process had already deployed the patches months ago and was already protected. The Electoral Commission was not one of those organizations.
“The Electoral Commission did not have an adequate patching system in place at the time of the incident,” the ICO report reads. “This flaw is a fundamental measure.”
Among other significant security issues uncovered during the ICO investigation, the Electoral Commission had allowed passwords that were “highly susceptible to guessing” and in addition confirmed it was “aware” that parts of its infrastructure were out of date.
ICO Deputy Commissioner Stephen Bonner said in a press release on the report and the ICO reprimand: “Had the Electoral Commission taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have occurred.”
Why didn’t the ICO wonderful the Electoral Commission?
A completely avoidable cyberattack that exposed the personal data of 40 million British voters might appear to be a serious enough breach to warrant a wonderful fairly than a reprimand from the Electoral Commission, but the ICO has issued only a public reprimand for lax security.
In the past, public sector bodies have been punished for violating data protection rules. But in June 2022 Under the previous Conservative government, the ICO announced it will trial a modified approach to enforcement against public bodies.
The regulator said the policy change meant public bodies were unlikely to see large fines for breaches over the next two years, whilst the ICO suggested incidents would proceed to be closely investigated. However, the sector was told to expect increased use of reprimands and other enforcement powers, fairly than fines.
IN open letter Explaining the move at the time, Information Commissioner John Edwards wrote: “I am not convinced that large fines alone are such an effective deterrent in the public sector. They do not affect shareholders or individual directors in the same way as in the private sector, but come directly from the budget for providing services. The impact of a public sector fine often falls on the victims of a breach, in the form of reduced budgets for key services, rather than on the perpetrators. In effect, those affected are punished twice.”
At first glance, it might sound that the Electoral Commission was lucky to find the breach during the ICO’s two-year trial period of taking a more lenient approach to enforcing sector-specific rules.
In line with the ICO’s statement that it’ll be trialling fewer sanctions for public sector data breaches, Edwards said the regulator will adopt a more proactive workflow involving engagement with senior management of public bodies to lift standards and ensure compliance with data protection laws across government bodies through a harm prevention approach.
But when Edwards revealed a plan to check a mixture of softer enforcement and proactive outreach, he acknowledged it will take effort from each side, writing: “We can’t do this alone. There has to be accountability on both sides to deliver these improvements.”
The Electoral Commission’s breach of the rules could subsequently raise wider questions on the success of the ICO process, including whether public sector bodies have kept their end of the bargain to justify more lenient enforcement.
It actually doesn’t appear that the Electoral Commission was suitably proactive in assessing the risk of a breach in the early months of the ICO process – that’s, before it discovered the hack in October 2022. The ICO’s reprimand, describing the Commission’s failure to patch a known software vulnerability as a “fundamental measure”, for instance, appears like the very definition of a preventable data breach that the regulator said it wanted to handle through a change in public sector policy.
In this case, nevertheless, the ICO says it didn’t apply a more lenient public sector enforcement policy.
In response to questions on why the Electoral Commission was not fined, ICO spokeswoman Lucy Milburn told TechCrunch: “Following a thorough investigation, a fine was not considered in this case. Despite the number of people affected, the personal data was limited primarily to the names and addresses contained in the Electoral Register. Our investigation did not find any evidence of misuse of personal data or that this breach caused any direct harm.”
“The Electoral Commission has already taken the necessary steps we expect to see to improve security in the wake of this incident, including implementing an infrastructure modernisation plan, as well as reviewing password policies and multi-factor authentication for all users,” the spokesperson added.
The regulator says there was no wonderful because no data was misused, or fairly the ICO found no evidence of misuse. The mere disclosure of 40 million voters’ information didn’t meet the ICO’s requirements.
One wonders to what extent the regulator’s investigation focused on identifying how voter information might have been misused?
Returning to the ICO’s Public Sector Enforcement Process end of JuneAs the experiment approached its two-year mark, the regulator issued a press release saying it will review the policy before deciding in the autumn on the future of the sectoral approach.
Whether this policy will proceed, or whether there might be a shift towards fewer reprimands and bigger fines for public sector data breaches, stays to be seen. Regardless, the Electoral Commission breach case shows that the ICO is reluctant to impose sanctions on the public sector – unless the disclosure of individuals’ data will be linked to proven harm.
It isn’t clear how a regulatory approach that isn’t intended to be deterrent will help raise data protection standards across government.
The UK’s data protection watchdog says its crackdown on sites that don’t ask visitors to consent to having their browsing activity tracked and profiled for ad targeting is bearing fruit. However, it admits that some of the changes prompted by the crackdown have seen sites adopt a controversial type of paywall that requires users to pay a fee to access content or opt in to being tracked and profiled for ad targeting (also often known as “pay or consent”).
The ICO didn’t disclose which websites had switched to a pay-or-agree model because it began asking questions on their tracking cookies. But it did name and shame several corporations for failing to comply with other cookie rules.
On Tuesday local time, the Information Commissioner’s Office (ICO) announced it had reprimanded Bonne Terre, the corporate behind Sky Betting and Gaming, for unlawfully processing personal data without consent.
Research has shown that data tracking can do loads of harm to individuals with addiction problems, which can explain why the general public rebuke of the ICO focused on an organization within the gambling sector.
“From 10 January to 3 March 2023, Sky Betting and Gaming processed users’ personal data and shared it with advertising technology companies as soon as they accessed the SkyBet website – before they had the opportunity to accept or reject advertising cookies,” the ICO wrote in a press release. “This meant that their personal data could be used to target them with personalised adverts without their prior consent or knowledge.”
The regulator told TechCrunch that it selected to issue a warning moderately than a sanction on this case since it believes it’s a proportionate use of its powers — “based on what will achieve the best outcome, and based on our priorities and limited resources.”
“In this case, we took into account Bonne Terre’s positive engagement with the ICO and the steps it has taken to improve compliance and considered that a reprimand was the most proportionate action,” ICO spokesman James Huyton added.
The reprimand is an element of a wider crackdown by the ICO on the use of cookies without consent, with the regulator highlighting a review of the UK’s “top 100 sites” last yr that identified “problems” with the way in which greater than half of sites used promoting cookies. then he wrote to 53 involved sites, warning they face enforcement motion in the event that they don’t change the way in which they deploy promoting cookies to comply with data protection law. The ICO suggests the outreach has helped remove some non-compliant cookie banners.
The regulator declined to verify the identity of any of the opposite sites contacted as part of its cookie compliance check. However, reporting the outcomes of its flurry of letters, the ICO said 52 of the sites it approached had made changes to the way in which they collected consent to tracking. The ICO said it had observed a number of changes, including some sites moving to a so-called “pay or consent” model – where visitors are blocked from accessing site content unless they consent to tracking or pay a fee.
Pay or consent is a controversial approach that’s currently being challenged legally and regulatory-wise within the European Union, including by privacy and consumer protection groups. Meta’s implementation of pay or consent can also be suspected of violating the bloc’s fair market principles. (The ICO declined to say whether Meta was one of the positioning owners it contacted about cookie consent.)
In a press release accompanying the report on the outcomes of the cookie banner crackdown, Stephen Bonner, deputy commissioner on the ICO, said the intervention had led to 99 of the highest 100 UK web sites “either already offering meaningful choice in advertising cookies or making changes to get people’s consent”. Which is sort of an either/or.
Bonner’s statement doesn’t provide any data to quantify the actual impact of the ICO on consent selections for UK web users. He says only that “some” of the changes observed included the introduction of a reject all button on sites that previously didn’t have one; others involved sites making their accept all and reject all buttons equally visible; and other sites introduced alternatives corresponding to “agree or pay” – a business model the ICO is “currently reviewing” for legality.
The gold standard for compliance with the UK’s General Data Protection Regulation, which is predicated on the EU framework of the identical name, could be to present website visitors with: easy yes/no selection accept or decline tracking. Sites that fail to accomplish that—for example, by only allowing users to simply accept but not decline tracking, or by making it easy to click a tracking acceptance button but hiding the decline option from multiple menus in confusingly worded settings—needs to be penalized for failing to comply. But too often, they get away with using manipulative, hidden patterns to steal consent.
The ICO must take some of the blame for years of ignoring warnings from privacy activists in regards to the ad tech industry’s unchecked data collection. It also didn’t act decisively by itself concerns in regards to the sector’s data collection practices, as set out in a 2019 report – for example, closing a grievance without issuing a choice in 2020 since it opted for soft industry engagement moderately than vigorous enforcement.
Last yr’s cookie harvesting campaign looks like an attempt by the ICO to finally see itself do something after years of exempting adtech players from compliance. However, its actions may raise questions provided that enforcement has apparently fuelled a rise within the use of controversial ‘pay or agree’ tactics. It’s also interesting to think about the sites it chooses to call and shame in comparison with others that also don’t offer users a transparent yes/no selection, but whose names we have now to infer.
As well as publicly reprimanding Sky Betting, the ICO has decided to call and shame gossip website Tattle Life – which it says was the just one of 53 web sites contacted that didn’t become involved – and said it might now launch an investigation into its use of cookies and its “apparent failure” to register with the ICO.
What about sites which have switched to implementing “agree or pay” cookie banners, meaning they don’t offer web users a free selection to opt out of tracking?
Tech giant Meta entered the sport last yr, deciding to force ad-tracking consent from Facebook and Instagram users by imposing a “pay us or let us track you” paywall on its formerly free social networks. Since then, a growing number of British news sites have imitated the tactic, with “pay or let us” paywalls popping up in all places previously free, ad-supported journalism was available.
We asked the ICO for its views on the creep and growth of “pay or agree”, including Meta’s adoption of the tactic, and a spokesperson referred to Bonner’s previous comments, writing: “Following engagement with Meta, we are investigating how UK data protection law would apply to any potential ad-free subscription service. We expect Meta to consider any data protection concerns we raise before rolling out a subscription service to UK users.”
At the start of this yr, ICO conducted consultations on “pay or consent” business models saying it hopes to supply an initial view of the approach but has not yet adopted a transparent public position. And on this regulatory gray area, loads of “consent or pay(wall)” is happening.
“When it comes to opt-in or pay models, we have told companies that they are not transparent with the public and that they must offer people meaningful choice about how their data is used and shared on their websites,” the spokesperson added. “Some companies have introduced alternative methods of obtaining consent, such as ‘opt-in or pay’, which we are currently considering as a business model following our consultation in early 2024. We will provide our position later in the year. In the meantime, we will continue to monitor developments in new approaches.”
During last week’s GlowTime event, Apple announced that iOS 18 will include a feature that may allow users with mild to moderate hearing loss to make use of AirPods as hearing aids.
But Apple was still waiting for FDA approval—approval that was announced just days later. The FDA described it as the primary “over-the-counter hearing aid software,” and certainly one of its leaders suggested it could possibly be “another step that increases the availability, affordability, and acceptability of hearing support for adults with perceived mild to moderate hearing loss.”
TechCrunch’s Brian Heater tried out a partial version of the feature last week. It won’t be available to those with standard AirPods, just like the ones I’m wearing now; you will need the corporate’s latest premium headphones, the AirPods Pro 2, since the feature leverages the Pro’s passive noise cancellation and H2 chip.
In today’s TechCrunch Minute, we discuss how Apple’s hearing test works and the way it’s changing the hearing aid market.
AWS announced today that it’s moving to a new edition Open searchits open source fork of the popular Elasticsearch search and evaluation engine to the Linux Foundation with the launch of the OpenSearch Foundation.
AWS first launched the OpenSearch project in 2021, after Elastic modified the license for its Elasticsearch and Kibana projects to its own proprietary license, the Elastic License. At the time, several open source vendors made similar changes, largely to stop large cloud providers—especially AWS—from offering hosted services based on their software.
Ironically, the move comes just weeks after Elastic announced it might be re-offering Elasticsearch and Kibana under an open source license, AGPL-ewhich requires users to publish the entire source code in the event that they make any changes. Interestingly, Elastic decided to make this selection available alongside its own, more restrictive license because, as the company said, “we have people who really like ELv2.”
When AWS created OpenSearch, there was loads of skepticism surrounding the project. After all, AWS had never managed a project of this size before. Mukul KarnikAWS general manager for search services, admitted as much.
“When we started OpenSearch at the time, Amazon and AWS were new to taking an open source project and developing it,” he told me in an interview before today’s announcement. “Our goal from the very beginning was to be community-driven and see how we could get more community members to participate and contribute to the project.”
Karnik noted that AWS has step by step opened up the project, encouraging each input and broader governance. “It’s become more organic, in a sense, where we’re taking these organic steps to figure out how to get more people to participate in the project.”
With today’s launch, many other major corporations have joined the Foundation, including SAP and Uber, who’ve change into premium members, while Aiven, Aryn, Atlassian, Canonical, Digital Ocean, Eliatra, Graylog, NetApp Instaclustr, and Portal26 have change into general members.
Karnik noted that AWS expects its contribution to OpenSearch to extend.
In 2021, the foundation wasn’t on the roadmap yet, but now moving the project into its own foundation looks like a natural next step, Karnik said. He also noted that the OpenSearch ecosystem has added quite just a few innovations of its own to the project, including moving it from a cluster-based system to a more cloud-native architecture. He also noted that the project has recently introduced updates like separating compute and storage, in addition to segment replication. With the advent of artificial intelligence, interest in OpenSearch as a vector database has also increased, Karnik said.
The recent Foundation will operate under the standard Linux Foundation governance model, with an oversight board and a technical steering committee.
“The Linux Foundation is excited to provide a neutral home for open and collaborative development around open source search and analytics,” said Jim Zemlin, executive director of the Linux Foundation. “Search is something we rely on every day, for both business and consumer use, and we look forward to supporting the OpenSearch community and helping them deliver powerful search and analytics tools to organizations and individuals around the world.”
Like many similar foundations, one of the reasons AWS has decided to contribute to the project now could be to achieve access to the Linux Foundation’s services and expertise in managing and developing open source projects. Additionally, the move helps OpenSearch shed its perception of being primarily an AWS-driven project, a key step for continued growth and broader adoption.
Snoop Dogg’s wife Shante looks like herself again, months after sparking health concerns from fans who noticed a drastic change in her appearance
Doechii Announces ‘Alligator Bites Never Heal’ Tour – Essence
CCH Pounder’s Art Collection on Display at Philadelphia Museum
How Domestic Violence Perpetrators Use Drugs and Alcohol to Control Their Victims
UK privacy watchdog takes credit for rise of ‘consent or pay’ rule
CEO of 360WiSE Launches Mentorship Program in Overtown Miami FL
The Importance of Owning Your Distribution Media Platform
U.S.-Africa Chamber of Commerce Appoints Robert Alexander of 360WiseMedia as Board Director
360Wise Media and McDonald’s NY Tri-State Owner Operators Celebrate Success of “Faces of Black History” Campaign with Over 2 Million Event Visits
Time Selects Taraji P. Henson to Host ‘Time100 Special’ in 2024 on ABC
Karine Jean-Pierre Is The First Black LGBTQ+ White House Press Secretary
Ashanti Talks New Christmas Movie, Nelly, and Speaking Her Truth
Calabash Tea & Tonic Will Decolonize Your Taste Buds | A Taste of Chocolate
Operating A Multi-State Cannabis Delivery Company with CEO of Greenline Delivery, Terrence Taylor
Black father snatched from his family over marijuana charges | Beyond The Smoke
-
Press Release6 months agoCEO of 360WiSE Launches Mentorship Program in Overtown Miami FL
-
Business and Finance3 months agoThe Importance of Owning Your Distribution Media Platform
-
Press Release5 months agoU.S.-Africa Chamber of Commerce Appoints Robert Alexander of 360WiseMedia as Board Director
-
Business and Finance6 months ago360Wise Media and McDonald’s NY Tri-State Owner Operators Celebrate Success of “Faces of Black History” Campaign with Over 2 Million Event Visits
-
Film5 months agoTime Selects Taraji P. Henson to Host ‘Time100 Special’ in 2024 on ABC
-
Press Release6 months agoEggstravaganza, Returning to Miramar Regional Park
-
Ben Crump6 months agoAttorney Ben Crump vs Google Black Minority Lawsuit
-
Fitness6 months agoAt Smartwater Wellness, check in with fitness trainer Shy Lovell