In a startling revelation, the UK’s Electoral Commission has admitted to failing a crucial cybersecurity test around the same time it fell victim to a significant cyber-attack. This breach potentially exposed the data of 40 million voters.
Background of the Breach
Last month, the Electoral Commission disclosed that “hostile actors” had infiltrated its systems, accessing its emails and potentially the data of millions of voters. The breach began in August 2021 and remained undetected until October 2022. The attackers had access to sensitive data, including the names and addresses of registered voters, many of whom had opted out of public registers.
Cybersecurity Audit Failures
A whistleblower alerted the BBC that the Commission had been given an automatic fail during a Cyber Essentials audit. This government-backed scheme, supported by the National Cyber Security Centre (NCSC), is designed to help organizations maintain best practices in cybersecurity. While voluntary, it’s a widely recognized standard, especially for entities handling sensitive and personal information.
Among the reasons for the Commission’s failure were:
– Approximately 200 staff laptops were operating outdated and potentially insecure software.
– The use of old iPhones that were no longer receiving security updates from Apple.
– The outdated Windows 10 Enterprise operating system on some devices.
However, a spokesperson for the Electoral Commission has stated that these failures were not directly linked to the cyber-attack that compromised their email servers.
Cybersecurity consultant Daniel Card mentioned that while it’s too early to determine if the audit failures directly facilitated the breach, the vulnerabilities paint a picture of weak security postures and governance within the Commission.
Richard Cassidy, Rubrik EMEA CISO, compared failing the Cyber Essentials audit to leaving one’s doors and windows unlocked in a risky neighborhood. He emphasized that such audits ensure that every aspect of an organization’s cybersecurity is robust and that any failure compromises the entire system.
Alan Woodward, a professor of cybersecurity at Surrey University, echoed these sentiments, stating that failing such basic measures is concerning and reflects poorly on the organization’s IT security.
The Electoral Commission has expressed its commitment to enhancing its cybersecurity measures. Drawing on the expertise of the NCSC, the Commission aims to continually develop and progress protections against evolving cyber threats.
This incident underscores the importance of robust cybersecurity measures, especially for organizations handling vast amounts of sensitive data. As cyber threats continue to evolve, it’s crucial for entities to stay updated, conduct regular audits, and address vulnerabilities promptly.