What do we know about the Electoral Commission data breach? And what can we learn from it?

Continuing with the theme for Cybersecurity Awareness Month this October, our next blog looks at the story reported in August 2023, where the Electoral Commission admitted it had been victim of a cyber-attack. Since then, details have been emerging about the nature of the attack and the attack vectors deployed. Now the dust has settled, what can we learn from the event?

On August 8, 2023, the Electoral Commission announced that it had been “the subject of a complex cyber-attack … highlighting that the UK’s democratic process and its institutions remain a target for hostile actors online.”

The breach affected:

•    copies of the electoral registers, held by the Commission for research purposes and to enable permissibility checks on political donations. 

•    the name and address of anyone in Great Britain who was registered to vote between 2014 and 2022, the names of those registered as overseas voters during the same period, and the names and addresses of anyone registered in Northern Ireland in 2018. 

•    The Commission’s email system.

The timeline of the breach

The incident was first identified in October 2022 after suspicious activity was detected on the regulator’s systems. 

Subsequent investigations revealed that hostile actors had first accessed The Commission’s systems in August 2021. 

It is not clear why The Commission then waited a further nine months to announce the data breach.

The implications of the breach

The Electoral Commission has played down the impact of the breach. 

At the time of the announcement, the Commission’s chief executive Shaun McNally admitted that his organisation did not know exactly which files had been accessed, but said: “While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”

“The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting. This means it would be very hard to use a cyberattack to influence the process.”

Tech commentators have argued that citing paper-based voting to play down the risk of election interference rather misses the point – and seems an inadequate response to the personal details of up to 40 million people being compromised.

How did the breach happen?

The BBC reported in September that poor cyber security hygiene was likely behind the breach. The Electoral Commission had failed back-to-back Cyber Essentials assessments. At the time of the breach, it was not Cyber Essentials certified.

According to the BBC, “a whistleblower has revealed that in the same month that hackers were breaking into the organisation, the Commission was told by cyber-security auditors that it was not compliant with the Cyber Essentials scheme – a system backed by the government to help organisations achieve minimum best practice in cyber-security … and prevent known vulnerabilities being exploited by attackers.”

The Commission failed in multiple areas when it tried to get Cyber Essentials certified in 2021. Further, the Commission did not take a follow-up test in 2022 – so remains uncertified.

In response to this news, Rubrik EMEA CISO Richard Cassidy told Computer Weekly that “failing to pass a Cyber Essentials audit is somewhat akin to leaving your doors and windows unlocked in a bad neighbourhood.”

How did the regulator leave itself vulnerable?

The BBC highlighted some of the reasons The Commission had failed the 2021 Cyber Essentials assessment. 

They included:

•    around 200 staff laptops were running obsolete and potentially insecure software.

•    The Commission was urged to update the Windows 10 Enterprise operating system, which had fallen out of date for security updates months earlier.

•    staff were using old iPhones no longer supported by Apple to receive security updates.
 
TechCrunch also highlighted a self-hosted Exchange email server, which was online until at least August 2022. That same month that hackers began exploiting a then-unpatched zero-day flaw affecting Exchange on-premises servers called ProxyNotShell, which can be abused to gain full control of an email server. At the time, there were no patches for ProxyNotShell until months later in November 2022 and exploitation of ProxyNotShell was widespread across the internet.

Cyber-security consultant Daniel Card told the BBC, “There's a chance that the chain of attack may have included one or more of these poorly secured devices … it builds a picture of a weak posture and a probable failure to govern and manage.”

The motivation for the attack

The Commission said nobody has claimed responsibility for the hack, suggesting that the hackers have not contacted the Commission with an extortion demand, such as a ransom to return encrypted or stolen data. 

TechCrunch commented, “This is important as it suggests neither the hackers have claimed responsibility nor has the Commission heard from the hackers. Where there isn’t a financial motivation for a cyberattack, one might instead wonder what value this data has to an adversarial nation.”

What are experts saying about the attack on the Electoral Commission?

“Failing such basic measures is not a good look,” Alan Woodward, a professor of cybersecurity at Surrey University, told the Guardian.

Steven Murdoch, a professor of security engineering at University College London, added: “Failing to meet fundamental patching requirements is a pretty good indication that there are deeper problems with management of and investment in information security.”

With the records of 40 million people potentially compromised, the Electoral Commission said it has, “taken steps to secure its systems against future attacks, including by updating its login requirements, alert system and firewall policies.”

What can we learn from the cyber-attack on the Electoral Commission?

There are several takeaways from the Electoral Commission hack:

•    Too many organisations – including those holding huge quantities of sensitive and personal data – are not prioritising cyber security or even implementing basic cyber-security measures.

•    Cyber Essentials certification is a good indicator of an organisation’s commitment to implementing basic cyber security measures.

•    Good patch management is essential: patching known vulnerabilities and ensuring devices and operating are up to date is a vital part of your cyber security defence.

•    Multi-factor authentication is another important way to strengthen your organisational cyber security stance.

•    Improved monitoring and alerts can reduce the time between a breach happening and a breach being discovered.

•    Organisations are still not taking the risks to personal data seriously enough and improved reporting and greater openness is desirable.

What next?

Is your organisation Cyber Essentials certified? If not, please reach out to the Grant McGregor team now – we can help you get a plan in place to become certified.

Equally, if you’d like any help and advice about any of the cyber security measures discussed in this article, please reach out to our team.

Call us: 0808 164 4142

Message us: https://www.grantmcgregor.co.uk/contact-us 

Further reading

You can find more ideas and helpful advice about cyber security issues elsewhere on the Grant McGregor blog:

•    New changes to Cyber Essentials for 2023

•    Is your business data at risk? Don’t take chances with old tech!

•    What is a watering hole attack? And how can you protect against it?

•    AI’s new role in cyber security

•    Is your organisation doing enough on supply chain security?

•    What can we learn from the Capita data breaches?

•    Do your backups include this important information?

•    Tips for successfully implementing a zero-trust approach to cyber security