Poor Security at the Electoral Commission Let Hackers Access 40 Million Voters’ Details

Posted on 1 August 20241 August 2024

You may have seen the recent news that the Electoral Commission has been formally reprimanded by the Information Commissioners Office (ICO) over a cyberattack which occurred in 2021.

The ICO found voters’ personal details were left “vulnerable to hackers” because passwords were not changed and the Electoral Commission’s software had not been updated. They also found that the hackers had access to their systems for over a year and the breach was only spotted when a member of the Electoral Commission’s staff reported spam emails were being sent out from the Commission’s email server.

The hackers had impersonated a user account and exploited a number of publicly known security vulnerabilities in software used by the Electoral Commission. The software developer had released software updates to fix these weaknesses months before the attack, however the Commission had failed to update the software to fix the issues.

ICO deputy commissioner Stephen Bonner said if the Electoral Commission had “taken basic steps” to protect its systems, it was “highly likely” the data breach would not have happened.

“By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers,” he said.

You can read the full article on the BBC online here >

What can we learn from this?

The key takeaway from this attack is to make sure that security patches and software updates are installed as soon as they come available

PC Security Patching – ensure you download and install all updates on your PC as soon as they become available. You can turn on automatic updates in your PC’s settings screen and select the option that allows the system to automatically download and recommend updates for my computer and install them. You can also choose to update on a certain day/time.
Fileserver Security Patching – fileservers should be kept fully up-to-date with the latest security patches. If your server is actively monitored by us, this should already be done. If you maintain your fileservers in-house, it is critical that these are patched as soon as possible and kept current with the latest security updates. Microsoft releases patches on a schedule to make it easier for you.

Could Cyber Essentials help?

Cyber Essentials is a government-backed scheme that lays out a set of policies and procedures that organisations can put in place to show they meet a basic standard of IT security.

These are a set of basic technical controls that organisations should have in place to protect themselves against common online security threats.

The certification process covers basic IT security and takes into account:

Your firewall
Malware protection
Security configuration (e.g. password policies, multifactor authentication, user access controls)
Software update management (e.g. Windows Updates and software patches)
The CE rules also apply to any mobile devices that are owned by the organisation or user-owned if they access company data or services e.g. send/receive company email.

To find out more about Cyber Essentials, check out the blog on our website “All About Cyber Essentials” here >

If you would like to discuss any of the above, please get in touch with your NCS Account Manager – Carl, Jeremy, Rob, John or Victoria on 01706 23900 or their direct email address.

Posted in NewsTagged Cyber Essentials, cybercrime, Cybersecurity, Passwords, updates

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.