How the theft of 40 million UK voter registers could have been completely prevented

The cyberattack on the British Electoral Commission, which led to the breach of 40 million people’s electoral records, could have been entirely prevented if the organisation had put in place basic security measures, based on a devastating report published this week by the UK’s data protection watchdog.

Report published by the UK Information Commissioner’s Office on Monday blamed the Electoral Commission, which holds copies of the UK’s electoral register, for a series of security lapses that led to the mass theft of voter data since August 2021.

The Electoral Commission only discovered the security breach of its systems greater than a yr later, in October 2022, and it took until August 2023 to publicly disclose the year-long data breach.

The commission said at the time of its public disclosure that hackers had breached its email servers and stolen, amongst other things, copies of the UK electoral registers. These registers hold details about voters who registered between 2014 and 2022, and include names, postal addresses, phone numbers and non-public voter information.

UK Government later attributed the incursion to ChinaWith High-ranking officials warn that the stolen data could be used for “wide-scale espionage and international repression of perceived dissidents and critics in the UK.” China has denied any involvement in the security breach.

On Monday, the ICO issued a proper warning to the Electoral Commission for breaching UK data protection laws, adding: “Had the Electoral Commission taken basic steps to protect its systems, such as effective security patching and password management, it is highly unlikely that this data breach would not have occurred.”

The Electoral Commission, for its part, admitted short statement after the report was published, it was found that “insufficient protective measures were not implemented to prevent a cyberattack on the Commission”.

Until the ICO report was released, it was not clear what exactly led to the data of tens of tens of millions of British voters being exposed, or what could have been done otherwise.

We now know that the ICO has blamed the Commission for failing to patch (*40*) on its email server, which was the initial point of entry for hackers who made off with tons of voter data. The report also confirms a detail reported by TechCrunch in 2023 that the Commission’s email was a self-hosted Microsoft Exchange server.

In its report, the ICO confirmed that not less than two groups of malicious hackers breached the Commission’s self-hosted Exchange server in 2021-2022 by exploiting a sequence of three vulnerabilities. collectively known as ProxyShellwhich allowed hackers to interrupt in, take control, and place malicious code on the server.

Microsoft released patches for ProxyShell several months earlier, in April and May 2021, but the Commission didn’t install them.

By August 2021, the U.S. Cybersecurity Agency CISA began to sound the alarm that malicious attackers were actively exploiting ProxyShell, at which point every organization that had an efficient security patching process had already deployed the patches months ago and was already protected. The Electoral Commission was not one of those organizations.

“The Electoral Commission did not have an adequate patching system in place at the time of the incident,” the ICO report reads. “This flaw is a fundamental measure.”

Among other significant security issues uncovered during the ICO investigation, the Electoral Commission had allowed passwords that were “highly susceptible to guessing” and in addition confirmed it was “aware” that parts of its infrastructure were out of date.

ICO Deputy Commissioner Stephen Bonner said in a press release on the report and the ICO reprimand: “Had the Electoral Commission taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have occurred.”

Why didn’t the ICO wonderful the Electoral Commission?

A completely avoidable cyberattack that exposed the personal data of 40 million British voters might appear to be a serious enough breach to warrant a wonderful fairly than a reprimand from the Electoral Commission, but the ICO has issued only a public reprimand for lax security.

In the past, public sector bodies have been punished for violating data protection rules. But in June 2022 Under the previous Conservative government, the ICO announced it will trial a modified approach to enforcement against public bodies.

The regulator said the policy change meant public bodies were unlikely to see large fines for breaches over the next two years, whilst the ICO suggested incidents would proceed to be closely investigated. However, the sector was told to expect increased use of reprimands and other enforcement powers, fairly than fines.

IN open letter Explaining the move at the time, Information Commissioner John Edwards wrote: “I am not convinced that large fines alone are such an effective deterrent in the public sector. They do not affect shareholders or individual directors in the same way as in the private sector, but come directly from the budget for providing services. The impact of a public sector fine often falls on the victims of a breach, in the form of reduced budgets for key services, rather than on the perpetrators. In effect, those affected are punished twice.”

At first glance, it might sound that the Electoral Commission was lucky to find the breach during the ICO’s two-year trial period of taking a more lenient approach to enforcing sector-specific rules.

In line with the ICO’s statement that it’ll be trialling fewer sanctions for public sector data breaches, Edwards said the regulator will adopt a more proactive workflow involving engagement with senior management of public bodies to lift standards and ensure compliance with data protection laws across government bodies through a harm prevention approach.

But when Edwards revealed a plan to check a mixture of softer enforcement and proactive outreach, he acknowledged it will take effort from each side, writing: “We can’t do this alone. There has to be accountability on both sides to deliver these improvements.”

The Electoral Commission’s breach of the rules could subsequently raise wider questions on the success of the ICO process, including whether public sector bodies have kept their end of the bargain to justify more lenient enforcement.

It actually doesn’t appear that the Electoral Commission was suitably proactive in assessing the risk of a breach in the early months of the ICO process – that’s, before it discovered the hack in October 2022. The ICO’s reprimand, describing the Commission’s failure to patch a known software vulnerability as a “fundamental measure”, for instance, appears like the very definition of a preventable data breach that the regulator said it wanted to handle through a change in public sector policy.

In this case, nevertheless, the ICO says it didn’t apply a more lenient public sector enforcement policy.

In response to questions on why the Electoral Commission was not fined, ICO spokeswoman Lucy Milburn told TechCrunch: “Following a thorough investigation, a fine was not considered in this case. Despite the number of people affected, the personal data was limited primarily to the names and addresses contained in the Electoral Register. Our investigation did not find any evidence of misuse of personal data or that this breach caused any direct harm.”

“The Electoral Commission has already taken the necessary steps we expect to see to improve security in the wake of this incident, including implementing an infrastructure modernisation plan, as well as reviewing password policies and multi-factor authentication for all users,” the spokesperson added.

The regulator says there was no wonderful because no data was misused, or fairly the ICO found no evidence of misuse. The mere disclosure of 40 million voters’ information didn’t meet the ICO’s requirements.

One wonders to what extent the regulator’s investigation focused on identifying how voter information might have been misused?

Returning to the ICO’s Public Sector Enforcement Process end of JuneAs the experiment approached its two-year mark, the regulator issued a press release saying it will review the policy before deciding in the autumn on the future of the sectoral approach.

Whether this policy will proceed, or whether there might be a shift towards fewer reprimands and bigger fines for public sector data breaches, stays to be seen. Regardless, the Electoral Commission breach case shows that the ICO is reluctant to impose sanctions on the public sector – unless the disclosure of individuals’ data will be linked to proven harm.

It isn’t clear how a regulatory approach that isn’t intended to be deterrent will help raise data protection standards across government.