Inadequate cybersecurity led to major breach of UK voter's data

The Electoral Commission has been reprimanded over cybersecurity lapses that led to the personal data of 40 million people being hacked.

The Information Commissioner’s Office (ICO) has found cybercriminals were able to access data held on the electoral register after they exploited software vulnerabilities, the electoral watchdog had known about for months.

The ICO found the electoral body had failed to install the latest security updates at the time of the attack, which occurred in 2021 but was not identified until late 2022.

It also revealed the watchdog had inadequate passwords in place at the time of the incident, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk.

Stephen Bonner, deputy commissioner at the ICO, said: “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.”

The cybercriminals had access to the personal information held on those registered to vote between 2014 and 2022, including names and home addresses, for more than a year.

However, Bonner said there is “no reason to believe the data was misused” or evidence to suggest the breach had caused any “direct harm”.

Earlier this year the Conservative government linked the incident to China-backed hackers and summoned the Chinese ambassador to explain what had happened.

The government also linked China to a cyber-attack on a group of MPs, including former SNP MP Stewart McDonald.

Former deputy prime minister Oliver Dowden said the incidents showed a “clear and persistent pattern of behaviour that signals hostile intent from China”.

However, the Chinese embassy claimed the accusations were "completely fabricated" and "malicious slanders".

Following the attack, the Electoral Commission upgraded its infrastructure and introduced password policy controls and multi-factor authentication for all users.

The ICO announcement comes after Labour announced it would introduce a Cyber Security and Resilience Bill during the King's Speech to enhance the UK's cybersecurity measures.