The Electoral Commission has been reprimanded over its cyber security failings after a hack that exposed the details of around 40 million voters.
The attack happened in August 2021, when hackers got into the watchdog’s servers and exploited a known flaw in the software that should have been fixed months before.
As a result, the criminals had access to personal details of voters, including names and addresses, for over a year until the problem was found and rectified.
Earlier this year, the government blamed Chinese “state-affiliated actors” for the “malicious” attack, though a Chinese embassy spokesperson called the claim “completely unfounded”.
Politics live: Hunt hits back at Reeves after she brands him a ‘liar’
An investigation into the commission’s conduct was carried out by the Information Commissioner’s Office (ICO), which today officially reprimanded the organisation for leaving its systems “exposed and vulnerable to hackers”.
The ICO’s report said the commission “did not have appropriate security measures in place to protect the personal information it held”, namely it did not make sure its servers were kept up to date with the latest security patches that had been released months before the attack.
The report also said the commission “did not have sufficient password policies in place at the time of the attack”, with many staff having not changed from their default passwords.
Deputy commissioner at the ICO Stephen Bonner said: “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands.
“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.
“By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.”
Mr Bonner said while “an unacceptably high number of people were impacted”, the ICO had “no reason to believe any personal data was misused” and there was “no evidence that any direct harm has been caused by this breach”.
He said the commission had now “taken the necessary steps” to improve its cyber security.
Read more from Sky News:
Reeves calls Hunt a liar
Chancellor hints at tax rises
An Electoral Commission spokesperson said: “We regret that sufficient protections were not in place to prevent the cyber attack on the commission.”
They added the commission had “made changes to our approach, systems, and processes to strengthen the security and resilience of our systems” since the attack, approved by experts including the ICO, and the organisation would “continue to invest” in further security.
Source Agencies