Connect with us

Technology

How the theft of 40 million UK voter registers could have been completely prevented

Published

on

The cyberattack on the British Electoral Commission, which led to the breach of 40 million people’s electoral records, could have been entirely prevented if the organisation had put in place basic security measures, based on a devastating report published this week by the UK’s data protection watchdog.

Report published by the UK Information Commissioner’s Office on Monday blamed the Electoral Commission, which holds copies of the UK’s electoral register, for a series of security lapses that led to the mass theft of voter data since August 2021.

The Electoral Commission only discovered the security breach of its systems greater than a yr later, in October 2022, and it took until August 2023 to publicly disclose the year-long data breach.

The commission said at the time of its public disclosure that hackers had breached its email servers and stolen, amongst other things, copies of the UK electoral registers. These registers hold details about voters who registered between 2014 and 2022, and include names, postal addresses, phone numbers and non-public voter information.

UK Government later attributed the incursion to ChinaWith High-ranking officials warn that the stolen data could be used for “wide-scale espionage and international repression of perceived dissidents and critics in the UK.” China has denied any involvement in the security breach.

On Monday, the ICO issued a proper warning to the Electoral Commission for breaching UK data protection laws, adding: “Had the Electoral Commission taken basic steps to protect its systems, such as effective security patching and password management, it is highly unlikely that this data breach would not have occurred.”

The Electoral Commission, for its part, admitted short statement after the report was published, it was found that “insufficient protective measures were not implemented to prevent a cyberattack on the Commission”.

Until the ICO report was released, it was not clear what exactly led to the data of tens of tens of millions of British voters being exposed, or what could have been done otherwise.

We now know that the ICO has blamed the Commission for failing to patch (*40*) on its email server, which was the initial point of entry for hackers who made off with tons of voter data. The report also confirms a detail reported by TechCrunch in 2023 that the Commission’s email was a self-hosted Microsoft Exchange server.

In its report, the ICO confirmed that not less than two groups of malicious hackers breached the Commission’s self-hosted Exchange server in 2021-2022 by exploiting a sequence of three vulnerabilities. collectively known as ProxyShellwhich allowed hackers to interrupt in, take control, and place malicious code on the server.

Microsoft released patches for ProxyShell several months earlier, in April and May 2021, but the Commission didn’t install them.

By August 2021, the U.S. Cybersecurity Agency CISA began to sound the alarm that malicious attackers were actively exploiting ProxyShell, at which point every organization that had an efficient security patching process had already deployed the patches months ago and was already protected. The Electoral Commission was not one of those organizations.

“The Electoral Commission did not have an adequate patching system in place at the time of the incident,” the ICO report reads. “This flaw is a fundamental measure.”

Among other significant security issues uncovered during the ICO investigation, the Electoral Commission had allowed passwords that were “highly susceptible to guessing” and in addition confirmed it was “aware” that parts of its infrastructure were out of date.

ICO Deputy Commissioner Stephen Bonner said in a press release on the report and the ICO reprimand: “Had the Electoral Commission taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have occurred.”

Why didn’t the ICO wonderful the Electoral Commission?

A completely avoidable cyberattack that exposed the personal data of 40 million British voters might appear to be a serious enough breach to warrant a wonderful fairly than a reprimand from the Electoral Commission, but the ICO has issued only a public reprimand for lax security.

In the past, public sector bodies have been punished for violating data protection rules. But in June 2022 Under the previous Conservative government, the ICO announced it will trial a modified approach to enforcement against public bodies.

The regulator said the policy change meant public bodies were unlikely to see large fines for breaches over the next two years, whilst the ICO suggested incidents would proceed to be closely investigated. However, the sector was told to expect increased use of reprimands and other enforcement powers, fairly than fines.

IN open letter Explaining the move at the time, Information Commissioner John Edwards wrote: “I am not convinced that large fines alone are such an effective deterrent in the public sector. They do not affect shareholders or individual directors in the same way as in the private sector, but come directly from the budget for providing services. The impact of a public sector fine often falls on the victims of a breach, in the form of reduced budgets for key services, rather than on the perpetrators. In effect, those affected are punished twice.”

At first glance, it might sound that the Electoral Commission was lucky to find the breach during the ICO’s two-year trial period of taking a more lenient approach to enforcing sector-specific rules.

In line with the ICO’s statement that it’ll be trialling fewer sanctions for public sector data breaches, Edwards said the regulator will adopt a more proactive workflow involving engagement with senior management of public bodies to lift standards and ensure compliance with data protection laws across government bodies through a harm prevention approach.

But when Edwards revealed a plan to check a mixture of softer enforcement and proactive outreach, he acknowledged it will take effort from each side, writing: “We can’t do this alone. There has to be accountability on both sides to deliver these improvements.”

The Electoral Commission’s breach of the rules could subsequently raise wider questions on the success of the ICO process, including whether public sector bodies have kept their end of the bargain to justify more lenient enforcement.

It actually doesn’t appear that the Electoral Commission was suitably proactive in assessing the risk of a breach in the early months of the ICO process – that’s, before it discovered the hack in October 2022. The ICO’s reprimand, describing the Commission’s failure to patch a known software vulnerability as a “fundamental measure”, for instance, appears like the very definition of a preventable data breach that the regulator said it wanted to handle through a change in public sector policy.

In this case, nevertheless, the ICO says it didn’t apply a more lenient public sector enforcement policy.

In response to questions on why the Electoral Commission was not fined, ICO spokeswoman Lucy Milburn told TechCrunch: “Following a thorough investigation, a fine was not considered in this case. Despite the number of people affected, the personal data was limited primarily to the names and addresses contained in the Electoral Register. Our investigation did not find any evidence of misuse of personal data or that this breach caused any direct harm.”

“The Electoral Commission has already taken the necessary steps we expect to see to improve security in the wake of this incident, including implementing an infrastructure modernisation plan, as well as reviewing password policies and multi-factor authentication for all users,” the spokesperson added.

The regulator says there was no wonderful because no data was misused, or fairly the ICO found no evidence of misuse. The mere disclosure of 40 million voters’ information didn’t meet the ICO’s requirements.

One wonders to what extent the regulator’s investigation focused on identifying how voter information might have been misused?

Returning to the ICO’s Public Sector Enforcement Process end of JuneAs the experiment approached its two-year mark, the regulator issued a press release saying it will review the policy before deciding in the autumn on the future of the sectoral approach.

Whether this policy will proceed, or whether there might be a shift towards fewer reprimands and bigger fines for public sector data breaches, stays to be seen. Regardless, the Electoral Commission breach case shows that the ICO is reluctant to impose sanctions on the public sector – unless the disclosure of individuals’ data will be linked to proven harm.

It isn’t clear how a regulatory approach that isn’t intended to be deterrent will help raise data protection standards across government.

This article was originally published on : techcrunch.com
Continue Reading
Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Technology

OpenAI may change its nonprofit structure next year

Published

on

By

OpenAI could shake up its nonprofit structure next year

It looks increasingly likely that OpenAI will soon change its complex corporate structure.

Reports earlier this week suggested the AI ​​company was in talks to boost $6.5 billion at a pre-funding valuation of $150 billion. Now Reuters reports that The deal is contingent on OpenAI successfully restructuring and lifting the profit cap for investors.

In fact, based on FortuneCo-founder and CEO Sam Altman told employees at a company-wide meeting that OpenAI’s structure will likely change next year, bringing it closer to a standard for-profit business. OpenAI is currently structured in order that its for-profit arm is controlled by a nonprofit, which seems to have frustrated investors.

“We remain focused on building AI that benefits everyone, and as we’ve said before, we’re working with our board to ensure we’re best positioned to deliver on our mission,” OpenAI said in an announcement. “The nonprofit is core to our mission and will continue to exist.”

This article was originally published on : techcrunch.com
Continue Reading

Technology

LinkedIn games are really cool

Published

on

By

I actually have a weakness that I’m ashamed of, and it isn’t that I’ve watched all of Glee (yes, even the terrible later seasons) or that I’ve read an incredible amount of Harry Potter fan fiction in my life.

My little weakness is playing LinkedIn games.

To answer the plain query: Wait, LinkedIn has games? Yes. In May, LinkedIn launched three puzzle games via LinkedIn News, like New York Times game knockoffs. There’s the logic puzzle Queens (my favorite), the word game Crossclimb (pretty good), and the association game Pinpoint (not great, but oh well).

LinkedIn is taking the classic tech strategy of seeing what works for one more company after which trying to copy that success, even when it could appear odd to play games on knowledgeable networking platform. But it’s no wonder NYT Games inspired that inspiration. In a way The New York Times is a gaming company now – from December 2023 users I spent more time within the NYT Games app than within the news app.

LinkedIn isn’t alone. Everyone has games now. Apple News. Netflix. YouTube. There are so many games we are able to take pleasure in. And yet, once I finish my various New York Times puzzles, I still want more. It’s not that I feel like playing Crossclimb LinkedIn before Connections, however the games are adequate to provide me that sweet dopamine rush.

I often play LinkedIn games in the course of the workday (sorry to my boss). Sometimes it’s because I’m on LinkedIn to envision facts or look up a source, but then I remember I can spare a number of minutes for slightly game. Other times, my mind is foggy from gazing the identical draft of an article for too long, and taking a break to resolve a colourful Queens puzzle makes it easier to return and revisit that Google doc.

But it turns on the market’s a scientific explanation for why we love these quick, once-a-day puzzles a lot.

I recently spoke with DeepWell DTx cofounder Ryan Douglas, whose company relies on the concept playing video games (moderately) can have a positive impact on mental health. In some cases, the transient distraction of a game can pull us out of a negative thought spiral or help us approach an issue from a brand new perspective.

“If you’re playing Tetris, for example, you can’t have a long conversation in your head about how terrible you are, how much you suck, what’s going to happen next week, and so on,” Douglas told TechCrunch.

On a neurobiological level, Douglas explained that after we play, we activate the limbic system within the brain, which is answerable for coping with stress. But even when these stressors are simulated, they accustom the brain to coping with that stress in some ways.

“You start learning on a subconscious level, creating new neural pathways at an accelerated rate and preferentially selecting them on a subconscious level to deal with those problems in the future,” he said. “If you deal with (the stressor) in that particular environment, you gain agency. You have control.”

That’s to not say we must always play Pokémon all day—the video game development tools DeepWell creates are approved for therapeutic use in 15-minute doses. Maybe that’s why we’re so infatuated with games like Wordle, and other games The New York Times (and LinkedIn) has written which have a finite ending. You solve one puzzle a day, and then you definately move on to the following.

Wordle creator Josh Wardle spoke to TechCrunch about his viral success even before The New York Times picked up his game.

“I’m a little suspicious of apps and games that want your endless attention — I worked in Silicon Valley, for example. I know why they do that,” Wardle said. “I think people have an appetite for things that clearly don’t want anything from you.”

But Wardle is correct—after all my beloved LinkedIn games want something from me: my attention. And to be honest, I’ve spent rather a lot more time on LinkedIn in recent months than I ever have.

According to LinkedIn’s data, my behavior isn’t an anomaly. The company found that latest player engagement has increased by about 20% week over week because the starting of July. LinkedIn has also seen strong traction in users starting conversations after playing games. After you finish a game, you may see which of your connections also played, which I imagine some people see as a chance to #network. I don’t do this, but on the other hand, most of my LinkedIn conversations are just me messaging my friends “hi” because for some reason I find that funny.

So go on LinkedIn and have a good time as much as you may… after which, about 4 minutes later, return to the relentless grind of worldwide capitalism.

This article was originally published on : techcrunch.com
Continue Reading

Technology

These two friends created a simple tool to transfer playlists between Apple Music and Spotify, and it works great

Published

on

By

These two friends built a simple tool to transfer playlists between Apple Music and Spotify, and it works great

Last yr, I had the misfortune of losing all my playlists after I moved from Apple Music to Spotify. For me, playlists are necessary. They’re snapshots of a certain period in your life; possibly your summer of 2016 had a soundtrack. But traditionally, streaming music services don’t make it easy to take your playlists with you to other platforms.

You can imagine how joyful I used to be to see that Apple Music has created latest playlist uploader through the Data Transfer Initiative (DTI), a group founded by Apple, Google, and Meta to create data transfer tools. The Digital Markets in Europe Act requires these designated “gatekeepers” to fund data transfer tools as a part of a broader solution to Big Tech’s strategy of blocking users from their platforms.

Finally! There was only one big problem. The tools don’t work with the world’s hottest music service, Spotify, which apparently didn’t catch the wave of knowledge transfer (or possibly the regulator doesn’t tell them to). The DTI tool only transfers data between Apple Music and YouTube Music, making it much less useful for most individuals.

DTI Executive Director Chris Riley can be fed up with Big Tech’s blocking policies. He’s trying to get more firms to join the negotiations and make their services more portable.

“Over the last decade, we’ve kind of blended into this world, just feeling trapped,” Riley told TechCrunch. “I don’t think enough people know that this is something they need to know.”

With DTI limitations in mind, Riley suggested I move my playlists from Apple Music to Spotify using Soundfree third-party tool. Instead of working directly with streaming services, Soundiiz builds portability tools through existing APIs and acts as a translator between services. Within minutes, I used to be able to connect my accounts, transfer my playlists, and start listening to my old Apple Music playlists on Spotify. It was amazing and easy.

Soundiiz allows you to transfer playlists between Apple Music, Spotify, YouTube Music, Amazon Music, Tidal, Deezer, SoundCloud, and 20 other streaming services I’ve never heard of. There’s a simple user interface for connecting streaming services and choosing the playlists you would like to transfer, including ones another person has created.

The story behind Soundiiz may explain why it works so well and cheaply. It was created in 2013 by two friends from France, Thomas Magnano and Benoit Herbreteau, who loved listening to music while coding together. In the evenings, they decided to create a music search interface with input from everywhere in the web. In the method, they created a useful tool.

They never created a music search interface, however the playlist uploader became Soundiiz.

“I had to manipulate the API and test the fit between services. And while I was doing that, I was creating playlists and moving them between services, just for me internally,” Magnano told TechCrunch. “I presented this feature to a colleague of mine and we thought, ‘Oh, this is useful to me; maybe it’s useful to someone else.’”

In 2015, Soundiiz got its big break when it partnered with Tidal, the music service founded by Jay-Z. The music platform was trying to make it easier for people to leave Spotify and join Tidal with all the identical playlists, and Soundiiz helped with that. But Magnano says they made sure Tidal also let people export playlists, not only import them — something they require from every music service API they work with.

Then a lot more people began using the service, and the founders made Soundiiz their full-time job, but they kept their values. The two founders make a living from Soundiiz, but they tell TechCrunch they’re “not looking to get rich.” Magnano says Soundiiz has never sought outside investment to keep prices low, and the founders retain control over their project.

There are limitations to the free Soundiiz though – a number of the longer playlists might be shortened (limited to 200 songs). You even have to transfer playlists one after the other, and every one takes about a minute, so transferring a dozen or so playlists can take a while. Soundiiz offers a premium plan ($4.50 monthly, which you’ll cancel after transferring) to get around these limitations.

The two founders are still the one employees of Soundiiz, regardless that the corporate has grown: Soundiiz has helped hundreds of thousands of individuals move over 220 million playlists over the past 10 years. According to Magnano, they’ve never spent a dime on marketing, but he says they’ve never had to.

“If you were to Google ‘how to transfer Deezer to Spotify’ in 2012, there was no answer,” Magnano said. “So Soundiiz became the first result in Google search when we launched, and we’ve been doing great in SEO ever since.”

Magnano says Spotify likely has more to lose than to gain by creating a playlist uploader like Apple and Google, and he doesn’t expect that to change anytime soon. However, he says that every one of those streaming services are aware of what Soundiiz is doing and are okay with it — some even promote it of their FAQs. That said, it’s unlikely that any of them would promote playlist uploaders like Soundiiz greater than this.

This article was originally published on : techcrunch.com
Continue Reading
Advertisement

OUR NEWSLETTER

Subscribe Us To Receive Our Latest News Directly In Your Inbox!

We don’t spam! Read our privacy policy for more info.

Trending