General Data Protection Regulation (GDPR) , Geo Focus: The United Kingdom , Geo-Specific
UK ICO Reprimands Electoral Commission for 2021 Hack Attack
Hackers Exploited ProxyShell Vulnerability to Compromise Commission SystemsThe British data regulator reprimanded the U.K.'s Electoral Commission for its failure to prevent a 2021 cyberattack that resulted in the exposure of millions of voter records.
See Also: How Enterprise Browsers Enhance Security and Efficiency
Hackers in 2021 breached the networks of the U.K. Electoral Commission to access copies of electoral register files. The exposed data includes names and details of 40 million individuals registered to vote between 2014 and 2022 (see: UK Electoral Commission Suffered 'Complex' Hack in 2021).
The U.K Information Commissioner's Office, which launched an assessment in the wake of the incident, on Tuesday reprimanded the Electoral Commission under the U.K. General Data Protection Regulation.
The data regulator said hackers breached the Electoral Commission's networks after exploiting the ProxyShell vulnerability present in the agency's Microsoft Exchange Server. The attackers continued to maintain access to the compromised networks for more than a year, largely due to the agency's failure to deploy adequate security solutions, the ICO said.
"If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened," said Stephen Bonner, the ICO's deputy commissioner.
The Electoral Commission did not have password management policies; it simply required its employees to "not reveal or write down passwords" during the time of the incident. One of the compromised accounts was using a default software vendor password at the time of the hack. Further analysis revealed that 178 Electoral Commission accounts used same or similar default passwords.
"This failing is a basic measure that we would expect to see implemented in any organization processing personal data - regardless of potential severity of risk or size of organization," the ICO said.
The U.K. Electoral Commission did not immediately respond to a request for comment. The ICO said the electoral agency has taken a number of remedial steps in the wake of the hack, including monitoring firewalls and all other internet connections, supporting threat and vulnerability programs, adopting a password management policy and deploying multifactor authentication.