General Data Protection Regulation (GDPR) , Governance & Risk Management , Patch Management

UK ICO Reprimands Electoral Commission for 2021 Hack Attack

Hackers Exploited ProxyShell Vulnerability to Compromise Commission Systems
UK ICO Reprimands Electoral Commission for 2021 Hack Attack
The U.K. Electoral Commission should have patched its ProxyShell vulnerability sooner. (Image: Shutterstock)

The British data regulator reprimanded the U.K.'s Electoral Commission for its failure to prevent a 2021 cyberattack that resulted in the exposure of millions of voter records.

See Also: Controlling Website Vulnerabilities to Protect Against Data Leakage and Magecart

Hackers in 2021 breached the networks of the U.K. Electoral Commission to access copies of electoral register files. The exposed data includes names and details of 40 million individuals registered to vote between 2014 and 2022 (see: UK Electoral Commission Suffered 'Complex' Hack in 2021).

The U.K Information Commissioner's Office, which launched an assessment in the wake of the incident, on Tuesday reprimanded the Electoral Commission under the U.K. General Data Protection Regulation.

The data regulator said hackers breached the Electoral Commission's networks after exploiting the ProxyShell vulnerability present in the agency's Microsoft Exchange Server. The attackers continued to maintain access to the compromised networks for more than a year, largely due to the agency's failure to deploy adequate security solutions, the ICO said.

"If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened," said Stephen Bonner, the ICO's deputy commissioner.

The Electoral Commission did not have password management policies; it simply required its employees to "not reveal or write down passwords" during the time of the incident. One of the compromised accounts was using a default software vendor password at the time of the hack. Further analysis revealed that 178 Electoral Commission accounts used same or similar default passwords.

"This failing is a basic measure that we would expect to see implemented in any organization processing personal data - regardless of potential severity of risk or size of organization," the ICO said.

The U.K. Electoral Commission did not immediately respond to a request for comment. The ICO said the electoral agency has taken a number of remedial steps in the wake of the hack, including monitoring firewalls and all other internet connections, supporting threat and vulnerability programs, adopting a password management policy and deploying multifactor authentication.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.