Get all your news in one place.
100’s of premium titles.
One app.
Start reading
The Guardian - UK
The Guardian - UK
Politics
Dan Milmo

Electoral Commission failed cybersecurity test in same year as hack

A voter at a polling station in Stalybridge
A voter at a polling station in Stalybridge. The 2021 attack resulted in hackers accessing copies of electoral registers, equating to names and addresses of 40 million people. Photograph: Anthony Devlin/Getty Images

The Electoral Commission has admitted it failed a cybersecurity test in the same year that hackers successfully attacked the organisation.

The UK’s elections watchdog said it did not pass a Cyber Essentials test, a voluntary government-backed scheme that assesses an organisation’s readiness against cyber-attacks.

The commission said it had failed the test in 2021, when it was breached by an unknown assailant.

The organisation revealed last month that it had been a target of a “complex cyber-attack” that resulted in hackers accessing reference copies of the electoral registers, equating to the names and addresses of 40 million people. It said the attack started in August 2021 and was not detected until October 2022.

The commission said it did not pass the test due to two issues unrelated to the hack: an earlier version of Windows software on some laptops and a dated version of staff mobiles. It said those problems were not linked to the attack, which affected the organisation’s email servers.

A spokesperson said: “We are always working to improve our cybersecurity and systems. We draw on the expertise of the National Cyber Security Centre, as many public bodies do, to continue to develop and progress protections against cyber-threats. We regularly seek guidance and feedback on our systems to deal with the continued risk of cyber-threats as they evolve and take different forms. We welcome these learnings and act on them.”

The Cyber Essentials website states that the scheme is important because vulnerability to basic attacks marks organisations out as targets for “more in-depth unwanted attention from cybercriminals and others”.

Experts said the admission pointed to lax IT security at the organisation. “Failing such basic measures is not a good look,” said Alan Woodward, a professor of cybersecurity at Surrey University.

Steven Murdoch, a professor of security engineering at University College London, said: “Failing to meet fundamental patching requirements is a pretty good indication that there are deeper problems with management of and investment in information security.”

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.