Private particulars of thousands and thousands of UK voters had been left “susceptible to hackers” as a result of passwords weren’t modified and software program not up to date, the UK’s information privateness watchdog has discovered.
The Electoral Fee, which oversees UK elections, has been formally reprimanded by the Info Commissioners Workplace (ICO) over the safety lapse.
Starting in August 2021 cyber-attackers had been capable of entry computer systems containing the Electoral Registers, which maintain particulars of voters together with thousands and thousands of these not out there publicly.
The Electoral Commission said it regretted that enough protections weren’t in place to stop the cyber-attack.
“Because the ICO has famous and welcomed, for the reason that assault we have now made adjustments to our method, methods, and processes to strengthen the safety and resilience of our methods and can proceed to speculate on this space,” it stated in an announcement.
The investigation didn’t discover any proof that non-public information was misused, or that any direct hurt has been brought on by the assault.
The ICO stated hackers had entry to the Electoral Commissions’ methods for over a yr.
It was solely noticed when an worker reported that spam emails had been being despatched from the fee’s personal electronic mail server.
The hackers had been ultimately booted out in 2022.
The UK authorities has formally accused China of being behind the assault on the fee, claims the Chinese embassy rejected as “malicious slander”.
The ICO’s investigation discovered the Electoral Fee didn’t have acceptable safety measures in place to guard the non-public info it held.
To hold out the assault, hackers impersonated a reputable consumer account and exploited plenty of publicly recognized safety weaknesses in software program utilized by the fee.
Software program updates which fastened these safety holes had been out there for months earlier than the assault, however the Electoral Fee had failed to use them.
The fee additionally didn’t have an “acceptable” coverage in place to make sure staff had been utilizing safe passwords.
Investigators discovered 178 lively electronic mail accounts had been nonetheless utilizing passwords equivalent or just like these set by the organisation’s IT service desk when an account was created or reset.
ICO deputy commissioner Stephen Bonner stated if the Electoral Fee had “taken fundamental steps” to guard its methods, it was “extremely probably” the info breach wouldn’t have occurred.
“By not putting in the newest safety updates promptly, its methods had been left uncovered and susceptible to hackers,” he stated.