In a recent shocking revelation, the UK has witnessed its most substantial data breach to date. The **Electoral Commission**, an independent body set up by the UK Parliament, confirmed that “hostile actors” penetrated its protective digital barriers, allowing unauthorized access to its systems for a staggering 14 months. This extensive breach potentially means that the private details of nearly every UK voter registered between 2014 and 2022 have been exposed.
The vast scope and duration of the unauthorized access have sent shockwaves throughout the cybersecurity community and the general public. The fact that malicious actors could remain undetected for over a year has raised critical questions about the UK’s digital defenses against cyber threats.
Meanwhile, in a separate incident, the **Police Service of Northern Ireland (PSNI)** has come forward about another unfortunate data mishap. Thousands of officers and civilian staff had their personal data inadvertently revealed due to a mistakenly processed freedom of information request, adding to the concerns over data protection in the UK.
The **National Cyber Security Centre**, a government agency responsible for providing advice and support for the public and private sector in avoiding cyber threats, has taken up the investigation. There’s heightened speculation regarding the nature of this breach. Could it be a coordinated attack from a foreign state? With increasing instances of cyber warfare, the likelihood isn’t off the table.
David Omand, a former director of the Government Communications Headquarters (GCHQ), the UK’s premier intelligence and security organization, didn’t hold back in pointing fingers. He specifically highlighted **Russia’s repeated history of meddling in democratic processes** across different nations. The 2016 US election interference is a notable example, reinforcing the suspicion surrounding this recent breach.
In the political realm, **Tory MP Simon Fell**, chairman of the all-party parliamentary group on cyber security, voiced his deep concerns. According to Fell, the vast scale of this breach is alarming. While some information might be available in the public domain, the consolidation of such data in one place makes it a treasure trove for entities wishing to harm the nation. The list of usual suspects behind such a large-scale attack, as per Fell, includes Russia, China, Iran, and North Korea. However, Russia’s consistent history with electoral interference puts them on top of the list.
Amidst the growing concerns, Shaun McNally, the Chief Executive of the Electoral Commission, offered a public apology. He assured that while the breach was significant, the very nature of the UK’s democratic process – dispersed and heavily reliant on paper documentation – would make it exceedingly challenging for a cyber-attack to directly influence electoral outcomes.
“The attack on the Electoral Commission is concerning – one concern here is that the stolen data could help to fuel future cyber-attacks and other types of fraud. Also, if a nation-state actor was at work here, this data could be used to boost any influence campaigns they are running against UK targets, in an effort to support that nation’s competitive agenda.
The fact that name and home address data has been stolen is worrying, as it could contribute to targeted social engineering attacks on the victims involved. My message to voters who may have been affected is to remain vigilant for future scam messages or other communications that may use your name and address to purport legitimacy, and to react with appropriate suspicion. Staying alert and not clicking on suspicious links or providing personal details, whether financial or password related, is the best way to stay protected from all types of phishing emails.
Organisations should learn from this latest breach by ensuring they’re doing everything they can to protect themselves and their data in a world where new cyber risks and dangers are evolving at compute speed. We’ve seen that increased employee flexibility around remote working practices often means increased cybersecurity risks. As a result, organisations must work with their staff to create strong cybersecurity habits so best-practice becomes second nature. To mitigate against cyber threats, regular education and phishing simulations are a must, and all employees and companies must stay updated with current trends. Rather than viewing data protection as a box-ticking exercise, it should be a key priority and integrated into every aspect of an organisation. Employee awareness and vigilance is the most powerful tool in the Cyber Resilience kit-bag.”
“Hackers are a patient bunch. Two years in a victim’s systems is far from unheard of. Equally worrying is the Electoral Commission’s inability to identify what the attackers were scoping out to begin with and may well have stolen. As the saying goes, you don’t know what you don’t know. Clearly, the Commission doesn’t have the necessary cybersecurity fundamentals in place, and they’ve admitted as much. An always-on, global view of vulnerabilities and their exploitation is mission-critical for organisations. The silver lining? The cure for negligence tends to be a wakeup call of this sort.”
“Based on the information available, it sounds like the attack is still being investigated, but this incident does have the potential to put thousands, even millions, of British citizens at risk.
The Electoral Commission has stated it doesn’t know what information has been viewed or copied, but with the information stored on their servers relating to home addresses, telephone numbers and emails, attackers could now use this data to send out highly sophisticated phishing scams, especially those in relation to this incident. It is wise to therefore treat email correspondence relating to the breach with caution and to avoid clicking on links in emails or giving away personal information.
It sounds like the attackers initially gained access to the Electoral Commission’s systems via a compromised login, as it was suspicious login attempts that first alerted them to the breach. This once again highlights how compromised logins can offer criminals with unfiltered corporate network access, which is very difficult to spot because the login does not appear malicious.
The only way to counter this threat is by removing passwords from employee hands so they can’t be stolen. Using modern identity management tools, organisations can remove passwords and credentials from employees, instead offering them access to all the applications they need by distributing encrypted credentials. When no one sees or knows these access keys, they can’t be stolen by criminals, which closes doors on security incidents like the one impacting the Electoral Commission today.”
“Government institutions like the Electoral Commission are a data goldmine. Holding huge swathes of highly confidential and personal data relating to the public, they are a key target for cybercriminals, either as part of ransomware initiatives, or ongoing scams. Data protection needs to be at the forefront. Not only is this a risk to sensitive public data, but it also impacts the democracy of elections.
“In 2022, the Tory leadership election was delayed over potential security related concerns, which highlights the importance of integrity when handling this sort of data, and this truly hammers home the significance of this breach. As more details come around how threat actors gained access to the Electoral Commissions systems, it’ll become clearer as to how they could have been best positioned to fend off such an attack.
“At a minimum, it’s critical to have a 360-degree understanding of the potential attack surface within government IT systems, with constant testing to ensure security is flexible. There’s no one-size-fits-all approach to cybersecurity, as this breach has demonstrated, and integrating an adaptable, shifting approach to security can limit the impact of attackers living under the radar inside networks.”
Fabien can also offer insights on:
A breach on the Electoral Commission sounds critical and important, and the news is getting a lot of attention. However, looking at the incident more closely, the fact it was identified in October 2022 and is only being reported now, suggests the impact wasn’t critical. This is also illustrated by the fact the PII breached was limited, with most of the information already being in the public domain, and the breach has not affected the rights or access to the democratic process or affected electoral registration status. I’m more concerned that the measures they’ve stated as having taken to prevent future attacks look reactive and basic. While they are increasing their overall alerting to suspicious login activity, it doesn’t suggest an improvement in the overall security maturity of their electoral assets and whether or not they will undergo sufficient automated and human testing. Many other government agencies, including the NCSC, already take an advanced approach to security testing and engage with the ethical hacking community to report any potential vulnerabilities.