The Information Commissioner's Office (ICO) has reprimanded the UK Electoral Commission (EC) after hackers breached servers containing the personal information of 40 million people.
The attack occurred in August 2021, with the hackers breaching the servers through user impersonation and exploiting known vulnerabilities that had not been patched.
The attackers had access to the systems, which contained names and home addresses, until October 2022, with the hackers accessing the data on multiple occasions during this time.
Lack of appropriate security measures
The ICO’s reprimand stems from a lack of appropriate security measures that should have been in place to protect the personal information of millions of registered voters. Specifically, the vulnerabilities exploited by the attackers were patched in April and May of 2021, but were not applied by the EC..
Moreover, many EC accounts were still using default or weak passwords, likely contributing to the attackers ability to impersonate a user account and gain access to the servers. Following the breach, the EC enacted remedial security improvements and implemented an infrastructure improvement plan, alongside best practices for passwords and multi-factor authentication for all users.
Stephen Bonner, Deputy Commissioner at the ICO, commented on the reprimand stating, “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands.
“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.”
“This action should serve as a reminder to all organisations that you must take proactive and preventative measures to ensure your systems are secure. Do you know if your organisation has installed the latest security updates? If not, then you jeopardise people's personal information and risk enforcement action, including fines,” Bonner concluded.
More from TechRadar Pro
- Here is our guide to the best endpoint protection
- Google admits it accidentally broke its own password manager
- These are the best internet security suites