A cyberattack on Britain's Electoral Commission that resulted in the leak of 40 million voter records could have been completely prevented if the body had taken basic security measures, a report by Britain's Data Protection Authority published this week found.
A report published on Monday by the UK's Information Commissioner's Office faulted the Electoral Commission, which keeps a copy of British citizens' voting eligibility, for a series of security vulnerabilities that led to the mass leak of voter data starting in August 2021.
The Election Commission only discovered the breach in October 2022, more than a year later, and it took until August 2023 for the year-long data breach to be made public.
The committee said at the time of the disclosure that hackers had broken into a server containing emails and stolen several items, including copies of the UK electoral register, which contains information on voters registered between 2014 and 2022, including names, postal addresses, phone numbers and confidential voter information.
The British government later blamed the breach on China, with senior officials warning that the stolen data could be used for “large-scale espionage and international repression of dissidents and critics in the UK.” China has denied any involvement in the breach.
The ICO issued a formal reprimand to the Electoral Commission on Monday for breaching UK data protection law, adding: “It is highly likely that this data breach would not have happened if the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management.”
The election commission issued a brief statement after the report was published, acknowledging that “sufficient safeguards were in place to prevent cyberattacks on the commission.”
Until the ICO report was released, the exact cause of the data breach affecting tens of millions of UK voters was unknown, nor was it clear how it could have been handled differently.
We now know that the ICO specifically accused the commission of failing to patch a “known software vulnerability” in its email servers, which was the initial breach point through which hackers exfiltrated a large amount of voter data. The report also confirms details that the commission’s emails were hosted on a self-hosted Microsoft Exchange server, as TechCrunch reported in 2023.
The ICO said in its report that at least two groups of malicious hackers compromised the council’s self-hosted Exchange servers in 2021 and 2022 using three vulnerabilities called ProxyShell. This allowed the hackers to compromise the servers, take control of them, and install malware.
Microsoft released patches for ProxyShell several months ago, in April and May 2021, but the committee has yet to install them.
In August 2021, the US cybersecurity agency CISA began sounding the alarm that malicious hackers were actively exploiting ProxyShell, but by that time, any organization that had an effective security patching process in place had already released a fix months earlier and was already protected. The Election Commission was not one of those organizations.
“The Election Commission did not have an adequate patching regime in place at the time of the incident,” the ICO report said. “This failure was a fundamental one.”
Other notable security issues uncovered during the ICO investigation included the fact that the election commission allowed “highly vulnerable” password guessing and that the commission “knew” that parts of its infrastructure were outdated.
“It is highly likely that this data breach would not have happened if the Electoral Commission had taken basic steps to secure its systems, such as effective security patching and password management,” ICO deputy director Stephen Bonner said in a statement responding to the ICO’s report and reprimand.
Why didn't the ICO impose a fine on the Election Commission?
A completely preventable cyberattack that exposed the personal data of 40 million British voters might sound like a serious enough breach for the Electoral Commission to punish with a fine rather than a reprimand. But the ICO has only issued a public reprimand for its lax security practices.
Public sector bodies have been penalised for breaching data protection rules in the past. But in June 2022, under the previous Conservative government, the ICO announced it would pilot a revised approach to enforcement for public bodies.
The regulator said the policy change meant public bodies were unlikely to face major fines for breaches for the next two years, but the ICO suggested it would still investigate incidents thoroughly. However, the sector was told to expect an increase in the use of reprimands and other enforcement powers, rather than fines.
In an open letter explaining the measure at the time, Information Commissioner John Edwards wrote: “I am not convinced that large fines are an effective deterrent in and of themselves in the public sector. They do not affect shareholders or individual directors in the same way as they would in the private sector, but come directly from budgets for service delivery. The impact of public sector fines is often felt by the victims of the breach, not by the perpetrators, in the form of reduced funding for essential services. In effect, those affected by the breach are punished twice.”
At first glance, it might seem like the Electoral Commission was lucky to find that the ICO had breached its more relaxed approach to sectoral enforcement that had been in place for two years.
In line with the ICO’s announcement that it would ease sanctions for public sector data breaches, Edwards said the regulator would adopt a more proactive workflow approach to senior executives in public bodies to drive up standards and ensure data protection compliance across government agencies using a do-nothing approach.
But when Edwards revealed plans to experiment with combining softer enforcement with proactive outreach, he acknowledged that it would take effort on both sides, writing, “We can’t do this on our own. We have to be accountable to deliver these improvements on all fronts.”
The Electoral Commission breach case could therefore raise wider questions about the success of the ICO trial, including whether public sector authorities held their positions in the deal to justify more lenient enforcement.
Of course, it doesn’t appear that the Electoral Commission was adequately proactive in assessing the risk of a breach in the early months of the ICO trial – that is, before the breach was discovered in October 2022. For example, the ICO’s reprimand for what the commission called “basic measures” for failing to patch a known software flaw sounds like the very definition of an avoidable data breach that the regulator said it wanted to remove from public sector policy shifts.
However, in this case the ICO argues that it did not apply its more lenient public sector enforcement policy to this case.
When asked why the Electoral Commission was not fined, ICO spokesperson Lucy Milburn told TechCrunch: “Following a thorough investigation, no fines were considered for this incident. Despite the number of people affected, the personal data involved was primarily limited to names and addresses contained in the electoral register. Our investigation did not find any evidence that any personal data was misused or that anyone suffered any direct harm as a result of this breach.”
“The Election Commission has now implemented a plan to modernize its infrastructure and has taken steps to improve its security going forward, including implementing password policy controls and multi-factor authentication for all users,” the spokesperson added.
As the regulator said, there was no fine because the data was not misused, meaning the ICO found no evidence of misuse. Simply disclosing the information of 40 million voters did not meet the ICO’s criteria.
One wonders how focused the regulators' investigation will be on finding out how voter data was misused.
As the ICO public sector pilot trial entered its second year in late June, the regulator announced it would review the policy before making a decision on the future of the sector-specific approach in the autumn.
It remains to be seen whether the policy will remain in place or whether it will shift to reducing penalties and increasing fines for public sector data breaches. Nevertheless, the Electoral Commission breach case shows that the ICO is reluctant to impose sanctions on the public sector unless exposing people’s data can be linked to demonstrable harm.
It is unclear how a regulatory approach that is by design less restrictive will help raise data protection standards across government.
