A cyberattack on the U.K. Electoral Commission resulted in a massive data breach of voter register records for 40 million people. This breach, which occurred in 2021 and was only discovered in 2022, could have been entirely prevented if the Electoral Commission had implemented basic security measures. These findings were reported by the U.K.’s Information Commissioner’s Office (ICO) in a scathing report.
The report points out several security failings on the part of the Electoral Commission. It reveals that the Commission did not patch known vulnerabilities in its email server, which allowed hackers to gain unauthorized access and steal voter information. In addition to the lack of security patching, the Commission also had weak password management practices and out-of-date infrastructure. These failures, according to the ICO, are basic security measures that should have been in place.
The ICO specifically identifies a chain of three vulnerabilities called ProxyShell that the hackers exploited to breach the Commission’s servers. Microsoft had released patches for these vulnerabilities months before the attack, but the Commission had failed to install them. This failure to patch known vulnerabilities is cited as a basic measure that could have prevented the data breach.
In its investigation, the ICO discovered that the Electoral Commission allowed passwords that were easily guessed and confirmed that parts of its infrastructure were outdated. These findings further highlight the Commission’s lack of adequate cybersecurity practices.
The lack of fines imposed on the Electoral Commission by the ICO raises questions about the effectiveness of the regulatory body’s approach to enforcement. The ICO had announced a trial of a softer enforcement policy for public sector bodies, which focused on outreach and harm prevention instead of large fines. According to the ICO, this approach was intended to raise data protection standards in the public sector. However, it remains unclear whether public sector authorities have held up their end of the bargain in improving their cybersecurity practices.
In the case of the Electoral Commission breach, the ICO did not apply its softer enforcement policy and instead issued a reprimand. The lack of evidence of data misuse or direct harm caused by the breach was cited as the reason for not imposing a fine. This decision has raised concerns about the ICO’s priorities and whether its lenient approach to enforcement will drive up data protection standards in the public sector.
As the ICO reviews its public sector enforcement trial, it remains to be seen whether there will be a shift towards stricter enforcement and more fines for data breaches. The Electoral Commission case highlights the need for a regulatory approach that prioritizes deterrence and holds public sector organizations accountable for safeguarding people’s data. Without stronger enforcement, it is unlikely that data protection standards will significantly improve across the government sector.
Source link
