ICO reprimands UK Electoral Commission over cyberattack that left voter data exposed

Hand of a person casting a vote into the ballot box during elections

(Image credit: Shutterstock / roibu)

The Information Commissioner's Office (ICO) has reprimanded the UK Electoral Commission (EC) after hackers breached servers containing the personal information of 40 million people.

The attack occurred in August 2021, with the hackers breaching the servers through user impersonation and exploiting known vulnerabilities that had not been patched.

Lack of appropriate security measures

The ICO’s reprimand stems from a lack of appropriate security measures that should have been in place to protect the personal information of millions of registered voters. Specifically, the vulnerabilities exploited by the attackers were patched in April and May of 2021, but were not applied by the EC..

Moreover, many EC accounts were still using default or weak passwords, likely contributing to the attackers ability to impersonate a user account and gain access to the servers. Following the breach, the EC enacted remedial security improvements and implemented an infrastructure improvement plan, alongside best practices for passwords and multi-factor authentication for all users.

Stephen Bonner, Deputy Commissioner at the ICO, commented on the reprimand stating, “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands.

“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.”

“This action should serve as a reminder to all organisations that you must take proactive and preventative measures to ensure your systems are secure. Do you know if your organisation has installed the latest security updates? If not, then you jeopardise people's personal information and risk enforcement action, including fines,” Bonner concluded.

More from TechRadar Pro

Here is our guide to the best endpoint protection
Google admits it accidentally broke its own password manager
These are the best internet security suites

Benedict has been with TechRadar Pro for over two years, and has specialized in writing about cybersecurity, threat intelligence, and B2B security solutions. His coverage explores the critical areas of national security, including state-sponsored threat actors, APT groups, critical infrastructure, and social engineering.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the Centre for Security and Intelligence Studies at the University of Buckingham, providing him with a strong academic foundation for his reporting on geopolitics, threat intelligence, and cyber-warfare.

Prior to his postgraduate studies, Benedict earned a BA in Politics with Journalism, providing him with the skills to translate complex political and security issues into comprehensible copy.