Millions of UK Voters’ Personal Details Left Vulnerable to Hackers Due to Security Lapse
The UK’s data privacy watchdog, the Information Commissioners Office (ICO), has reprimanded the Electoral Commission for leaving the personal details of millions of UK voters vulnerable to hackers. The security lapse occurred because passwords were not changed and software was not updated, allowing cyber-attackers to access computers containing the Electoral Registers.
The attack, which began in August 2021, went unnoticed for over a year until an employee reported that spam emails were being sent from the commission’s own email server. The hackers were eventually removed from the system in 2022, but the damage had already been done.
The ICO’s investigation found that the Electoral Commission did not have appropriate security measures in place to protect the personal information it held. Hackers were able to impersonate a legitimate user account and exploit known security weaknesses in the software used by the commission. Despite software updates being available for months prior to the attack, the commission failed to apply them.
Additionally, the commission did not have a policy in place to ensure employees were using secure passwords, with 178 active email accounts still using passwords identical or similar to those set by the IT service desk.
The UK government has formally accused China of being behind the attack, a claim that the Chinese embassy has rejected as “malicious slander.”
ICO deputy commissioner Stephen Bonner stated that if the Electoral Commission had taken basic steps to protect its systems, the data breach could have been prevented. “By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers,” he said.
The Electoral Commission has since made changes to strengthen the security and resilience of its systems and will continue to invest in this area to prevent future cyber-attacks.
