In a startling revelation, the UK’s Electoral Commission has admitted to failing a crucial cybersecurity test around the same time it fell victim to a significant cyber-attack. This breach potentially exposed the data of 40 million voters.
Background of the Breach
Last month, the Electoral Commission disclosed that “hostile actors” had infiltrated its systems, accessing its emails and potentially the data of millions of voters. The breach began in August 2021 and remained undetected until October 2022. The attackers had access to sensitive data, including the names and addresses of registered voters, many of whom had opted out of public registers.
Cybersecurity Audit Failures
A whistleblower alerted the BBC that the Commission had been given an automatic fail during a Cyber Essentials audit. This government-backed scheme, supported by the National Cyber Security Centre (NCSC), is designed to help organizations maintain best practices in cybersecurity. While voluntary, it’s a widely recognized standard, especially for entities handling sensitive and personal information.
Among the reasons for the Commission’s failure were:
– Approximately 200 staff laptops were operating outdated and potentially insecure software.
– The use of old iPhones that were no longer receiving security updates from Apple.
– The outdated Windows 10 Enterprise operating system on some devices.
However, a spokesperson for the Electoral Commission has stated that these failures were not directly linked to the cyber-attack that compromised their email servers.
Expert Opinions
Cybersecurity consultant Daniel Card mentioned that while it’s too early to determine if the audit failures directly facilitated the breach, the vulnerabilities paint a picture of weak security postures and governance within the Commission.
Richard Cassidy, Rubrik EMEA CISO, compared failing the Cyber Essentials audit to leaving one’s doors and windows unlocked in a risky neighborhood. He emphasized that such audits ensure that every aspect of an organization’s cybersecurity is robust and that any failure compromises the entire system.
Alan Woodward, a professor of cybersecurity at Surrey University, echoed these sentiments, stating that failing such basic measures is concerning and reflects poorly on the organization’s IT security.
Moving Forward
The Electoral Commission has expressed its commitment to enhancing its cybersecurity measures. Drawing on the expertise of the NCSC, the Commission aims to continually develop and progress protections against evolving cyber threats.
This incident underscores the importance of robust cybersecurity measures, especially for organizations handling vast amounts of sensitive data. As cyber threats continue to evolve, it’s crucial for entities to stay updated, conduct regular audits, and address vulnerabilities promptly.
“This is a concerning discovery about a cyberattack that could give adversarial powers greater advantage in meddling with the future UK electoral process.
Cyber Essentials is a certification that sets out best security practices for businesses of all sizes to help them improve their resilience against attacks. It is non-intrusive and cost-effective and something all businesses should aim to achieve especially when they process high volumes of data. The certification is more than another compliance check box to be ticked; It is a solid baseline to make sure that, as an organisation, many obvious pitfalls have been avoided, helping remove the easy wins so attackers give up or move on.
The fact that the Electoral Commission recently failed the assessment is very worrying. Especially given that an organisation of such prominence would normally be expected to be Cyber Essentials Plus certified.
No organisation that handles the data of the UK population should ever gamble with security, the requirements of Cyber Essentials should be met as a standard practice and achieving certification should be a guarantee.”