A cyberattack on the U.K. Electoral Commission that resulted in the data breach of voter register records on 40 million people was entirely preventable had the organization used basic security measures, according to the findings from a damning report by the U.K.’s data protection watchdog published this week.
The report published by the U.K.’s Information Commissioner’s Office on Monday blamed the Electoral Commission, which maintains copies of the U.K. register of citizens eligible to vote in elections, for a series of security failings that led to the mass theft of voter information beginning August 2021.
The Electoral Commission did not discover the compromise of its systems until more than a year later in October 2022 and took until August 2023 to publicly disclose the year-long data breach.
The Commission said at the time of public disclosure that the hackers broke into servers containing its email and stole, among other things, copies of the U.K. electoral registers. Those registers store information on voters who registered between 2014 and 2022, and include names, postal addresses, phone numbers and nonpublic voter information.
The U.K. government later attributed the intrusion to China, with senior officials warning that the stolen data could be used for “large-scale espionage and transnational repression of perceived dissidents and critics in the U.K.” China denied involvement in the breach.
The ICO issued its formal rebuke of the Electoral Commission on Monday for violating U.K. data protection laws, adding: “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.”
For its part, the Electoral Commission conceded in a brief statement following the report’s publication that “sufficient protections were not in place to prevent the cyber-attack on the Commission.”
Until the ICO’s report, it wasn’t clear exactly what led to the compromise of tens of millions of U.K. voters’ information — or what could have been done differently.
Now we know that the ICO specifically blamed the Commission for not patching “known software vulnerabilities” in its email server, which was the initial point of intrusion for the hackers who made off with reams of voter data. The report also confirms a detail as reported by TechCrunch in 2023 that the Commission’s email was a self-hosted Microsoft Exchange server.
In its report, the ICO confirmed that at least two groups of malicious hackers broke into the Commission’s self-hosted Exchange server during 2021 and 2022 using a chain of three vulnerabilities collectively referred to as ProxyShell, which allowed the hackers to break in, take control, and plant malicious code on the server.
Microsoft released patches for ProxyShell several months earlier in April and May 2021, but the Commission had not installed them.
By August 2021, U.S. cybersecurity agency CISA began sounding the alarm that malicious hackers were actively exploiting ProxyShell, at which point any organization that had an effective security patching process in place had already rolled out fixes months ago and were already protected. The Electoral Commission was not one of those organizations.
“The Electoral Commission did not have an appropriate patching regime in place at the time of the incident,” read the ICO’s report. “This failing is a basic measure.”
Among the other notable security issues discovered during the ICO’s investigation, the Electoral Commission allowed passwords that were “highly susceptible” to have been guessed, and that the Commission confirmed it was “aware” that parts of its infrastructure were out of date.
ICO deputy commissioner Stephen Bonner said in a statement on the ICO’s report and reprimand: “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.”
Why didn’t the ICO fine the Electoral Commission?
An entirely preventable cyberattack that exposed the personal data of 40 million U.K. voters might sound like a serious enough breach for the Electoral Commission to be penalized with a fine, not just a reprimand. Yet, the ICO has only issued a public dressing-down for the sloppy security.
Public sector bodies have faced penalties for breaking data protection rules in the past. But in June 2022 under the prior conservative government, the ICO announced it would trial a revised approach to enforcement on public bodies.
The regulator said the policy change meant public authorities would be unlikely to see large fines imposed for breaches for the next two years, even as the ICO suggested incidents would still be thoroughly investigated. But the sector was told to expect increased use of reprimands and other enforcement powers, rather than fines.
In an open letter explaining the move at the time, information commissioner John Edwards wrote: “I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”
At a glance, it might look like the Electoral Commission had the good fortune to discover its breach within the ICO’s two-year trial of a softer approach to sectoral enforcement.
In concert with the ICO saying it would test fewer sanctions for public sector data breaches, Edwards said the regulator would adopt a more proactive workflow of outreach to senior leaders at public authorities to try to raise standards and drive data protection compliance across government bodies through a harm-prevention approach.
However, when Edwards revealed the plan to test combining softer enforcement with proactive outreach, he conceded it would require effort at both ends, writing: “[W]e cannot do this on our own. There must be accountability to deliver these improvements on all sides.”
The Electoral Commission breach might therefore raise wider questions over the success of the ICO’s trial, including whether public sector authorities have held up their side of a bargain that was supposed to justify the softer enforcement.
Certainly it does not appear that the Electoral Commission was adequately proactive in assessing breach risks in the early months of the ICO trial — that is, before it discovered the intrusion in October 2022. The ICO’s reprimand dubbing the Commission’s failure to patch known software flaw as a “basic measure,” for example, sounds like the definition of an avoidable data breach the regulator had said it wanted its public sector policy shift to purge.
In this case, however, the ICO claims it did not apply the softer public sector enforcement policy in this case.
Responding to questions about why it didn’t impose a penalty on the Electoral Commission, ICO spokeswoman Lucy Milburn told TechCrunch: “Following a thorough investigation, a fine was not considered for this case. Despite the number of people impacted, the personal data involved was limited to primarily names and addresses contained in the Electoral Register. Our investigation did not find any evidence that personal data was misused, or that any direct harm has been caused by this breach.”
“The Electoral Commission has now taken the necessary steps we would expect to improve its security in the aftermath, including implementing a plan to modernise their infrastructure, as well as password policy controls and multi-factor authentication for all users,” the spokesperson added.
As the regulator tells it, no fine was issued because no data was misused, or rather, the ICO didn’t find any evidence of misuse. Merely exposing the information of 40 million voters did not meet the ICO’s bar.
One might wonder how much of the regulator’s investigation was focused on figuring out how voter information might have been misused?
Returning to the ICO’s public sector enforcement trial in late June, as the experiment approached the two-year mark, the regulator issued a statement saying it would review the policy before making a decision on the future of its sectoral approach in the fall.
Whether the policy sticks or there’s a shift to fewer reprimands and more fines for public sector data breaches remains to be seen. Regardless, the Electoral Commission breach case shows the ICO is reluctant to sanction the public sector — unless exposing people’s data can be linked to demonstrable harm.
It’s not clear how a regulatory approach that’s lax on deterrence by design will help drive up data protection standards across government.