A cyber attack on the UK's Electoral Commission, which led to the leak of 40 million voter register data, could have been entirely preventable if the commission had taken basic security measures, according to a damning report published this week by the UK's data watchdog.
A report published Monday by the UK's Information Commissioner's Office blamed the Electoral Commission, which keeps a copy of the register of citizens eligible to vote in UK elections, for a series of security failings that led to the mass theft of voter information beginning in August 2021.
The elections commission did not realize the intrusion into its systems until October 2022, more than a year later, and only disclosed the year-long data breach in August 2023.
The committee said at the time that the hackers had broken into a server where emails were stored and stolen a copy of the UK electoral register, among other things. The electoral register holds details of voters who registered between 2014 and 2022, including names, addresses, phone numbers and non-public voter details.
The British government later blamed China for the intrusion, and senior officials warned that the stolen data could be used for “large-scale espionage and international repression against perceived dissidents and critics in the UK.” China denied any involvement in the intrusion.
The ICO formally accused the Electoral Commission on Monday of breaching UK data protection law, adding that “if the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, this data breach is likely to have not occurred.”
Meanwhile, in a brief statement after the report was released, the Election Commission acknowledged that “sufficient safeguards had not been put in place to prevent cyber attacks against the commission.”
Until the ICO report, it was unclear what exactly happened that led to the leak of the details of tens of millions of British voters, or what else could have been done.
It turns out the ICO specifically faulted the committee for failing to patch “known software vulnerabilities” in the email server that was the initial point of entry for hackers who stole large amounts of voter data. The report also corroborates details reported by TechCrunch in 2023 that the committee's emails were on a self-hosted Microsoft Exchange server.
In its report, the ICO confirmed that at least two malicious hacker groups had exploited a chain of three vulnerabilities, collectively known as ProxyShell, to compromise the Commission's self-hosted Exchange servers in 2021 and 2022, allowing hackers to gain access, take control and implant malicious code on the servers.
Microsoft released patches for ProxyShell several months ago, in April and May 2021, but the committee did not install them.
By August 2021, the U.S. cybersecurity agency CISA began issuing warnings that malicious actors were actively exploiting ProxyShell. At that point, organizations that had effective security patching processes in place had already deployed fixes and were protected months earlier. Election Commissions were not among those organizations.
“At the time of the incident, the Electoral Commission did not have an adequate patching regime in place,” the ICO report said. “This deficiency is fundamental.”
Among other notable security issues uncovered during the ICO's investigation was that the Electoral Commission allowed “highly easy-to-guess” passwords, and that the commission “knew” that some of its infrastructure was out of date.
In a statement about the ICO's report and disciplinary action, ICO Deputy Commissioner Stephen Bonner said: “If the Electoral Commission had taken basic steps to secure its systems, such as effective security patching and password management, this data breach is likely to have avoided happening.”
Why didn't the ICO fine the Electoral Commission?
The exposure of the personal details of 40 million UK voters in a completely preventable cyber attack may seem like a breach serious enough to warrant a fine rather than just a reprimand for the Electoral Commission, but the ICO only issued a public scolding for lax security practices.
Public bodies have always faced penalties for breaching data protection rules, but in June 2022, under the previous Conservative government, the ICO announced it would pilot a review of how it enforces these rules against public bodies.
The regulator said the policy change meant that public authorities were unlikely to face huge fines for non-compliance over the next two years, despite the ICO indicating it would continue to thoroughly investigate cases, but the industry was told to prepare for an increase in reprimands and the use of other enforcement powers rather than fines.
In an open letter explaining the move, then Information Commissioner John Edwards wrote: “I do not believe that large fines are effective as a deterrent within the public sector. Fines are paid for directly from service provision budgets, rather than impacting shareholders or individual directors, as is the case in the private sector. The impact of public sector fines, in the form of budget cuts to essential services, often falls on the victims of breaches, not the perpetrators. In effect, those affected by breaches are doubly punished.”
At first glance, it may seem that the Electoral Commission was fortunate to have discovered the breach within the two-year period during which the ICO is trialling a more flexible approach to sectoral enforcement.
Echoing the ICO's announcement that it would reduce sanctions for public sector data breaches, Edwards said the regulator would raise standards through a harm prevention approach and adopt a more proactive workflow to engage senior leaders of public organizations to drive data protection compliance across government agencies.
But as Edwards unveiled his plan for testing, which combines more relaxed enforcement with aggressive outreach, he acknowledged that efforts on both sides are needed, writing:[W]”We can't do this alone. We need accountability to make these improvements on all fronts.”
The Electoral Commission's breach could therefore raise broader questions about the success of ICO trials, including whether public authorities kept their side of the bargain in a deal that would have justified more lenient enforcement.
It certainly doesn't appear that the Electoral Commission was proactive enough in assessing the risk of breaches in the early months of the ICO trial, i.e. before it discovered the intrusion in October 2022. For example, the ICO's reprimand, which the Commission describes as a “basic measure” for failing to fix known software flaws, sounds like the definition of an avoidable data breach that the regulator said it wanted to eliminate in its public sector policy shift.
However, in this case, the ICO claims it failed to apply its more relaxed public sector enforcement policy.
When asked why they didn't impose a fine on the Electoral Commission, ICO spokesperson Lucy Milburn told TechCrunch: “Following a thorough investigation, a fine was not considered in this matter. Although the number of people affected was large, the personal data concerned was primarily limited to names and addresses on the electoral roll. Our investigation found no evidence that personal data was misused or that any direct harm was caused as a result of this breach.”
“The Election Commission has taken necessary steps to improve security after the incident, including implementing an infrastructure modernization plan, password policy management and multi-factor authentication for all users,” the spokesperson added.
The regulator explained that no fine was imposed because the data was not misused, or rather, the ICO found no evidence of misuse: simply releasing the information of 40 million voters does not meet the ICO's criteria.
One might wonder how focused the regulators' investigations were on uncovering how voter information was misused.
The ICO's public sector enforcement experiment resumed in late June, with the experiment approaching its two-year milestone, and the regulator issued a statement saying it would review the policy before making a decision on the future of its sectoral approach in the autumn.
It remains to be seen whether this policy will be maintained or whether there will be a shift towards fewer disciplinary actions and more fines for public sector data breaches. Either way, the Electoral Commission data breach shows that the ICO is reluctant to impose sanctions on the public sector unless leaking people's data will lead to clear harm.
It is unclear how a deliberately unenforceable regulatory approach will help to improve data protection standards across government.