The Information Commissioner’s Office (ICO) has issued a reprimand to the Electoral Commission after basic security errors allowed hackers linked to the Chinese state to gain access to servers containing the personal information of 40 million people.
Hackers were able to access the Electoral Commission’s Microsoft Exchange Server after the organisation failed to patch known security vulnerabilities.
The Electoral Commission disclosed in August 2023 that it had been subject to a major cyber attack in 2021, which remained undetected for 12 months.
The attackers gained access to personal information stored on the electoral register, including the names and home addresses of everyone who had registered to vote between 2014 and 2022. They also had access to the personal data of people who had opted not to register their details on the open version of the electoral register and the names of registered overseas voters.
The then Conservative deputy prime minister, Oliver Dowden, told the Commons in March 2024 that Chinese state-linked hacking groups were “highly likely” to have been behind the attack.
A separate campaign by a Chinese state-sponsored hacking group targeted the email accounts of over 40 UK parliamentarians who had spoken out against China.
Known vulnerabilities
Investigations into the attack against the Electoral Commission revealed that at least two hacking groups had accessed an on-premise Microsoft Exchange Server used to manage email and related services.
The groups exploited known vulnerabilities in the Exchange Server, which remained unpatched for three to five months after Microsoft had released fixes to the problem. The ICO found that the Electoral Commission did not have an “appropriate patching regime” in place, hence the security vulnerabilities remained.
Stephen Bonner, ICO
The Electoral Commission was also criticised for its failure to have adequate password policies in place at the time of the attack. Investigations revealed that many users were using passwords that were similar or identical to those originally allocated by the service desk.
The information commissioner, Stephen Bonner, said: “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.”
Patching failures
According to the ICO report, hackers were able to access the unpatched Microsoft Exchange Server in August 2021 by exploiting a vulnerability known as the ProxyShell vulnerability chain.
The vulnerability, previously identified as a critical issue by Microsoft, was regarded as an easy vulnerability for hackers to exploit and was well known in the hacking community, having been discussed by researchers at the Black Hat hacking conference in 2021.
A report commissioned by the Electoral Commission later identified a further eight vulnerabilities on the organisation’s Microsoft Exchange Servers that could have been exploited by hackers.
“This failing is a basic measure that we would expect to see implemented in any organisation processing personal data,” the ICO said in a formal reprimand.
Guessable passwords
The ICO found that the Electoral Commission did not have a dedicated password management policy in place and that the only password guidance was “do not reveal or write down passwords”.
Security investigators discovered that passwords set up by the Electoral Commission’s IT service desk when it created new accounts or reset old accounts were insecure. The investigators were able to rapidly crack 178 active accounts using passwords that were identical or similar to passwords provided by the service desk. An audit found that the service desk’s practice of reusing passwords made the Electoral Commission’s accounts “highly susceptible” to cracking.
The Electoral Commission reported an incursion to the National Cyber Security Centre (NCSC) after an employee discovered that spam emails were being sent from the Electoral Commission’s Exchange Server in October 2021.
At the time, the Electoral Commission said it considered the issue to be an isolated incident, according to the ICO’s reprimand.
The Electoral Commission was aware of problems with outdated infrastructure and reported that as it was planning to move its infrastructure towards the cloud, “remedial action with the old servers was limited”, the ICO’s report stated.
China risk
In May 2024, GCHQ director Anne Keast-Butler warned that China’s cyber capabilities posed a significant threat to the UK and other countries.
“China has built an advanced set of cyber capabilities and is taking advantage of a growing commercial ecosystem of hacking outfits and data brokers at its disposal,” she said.
These include a campaign by a Chinese state-sponsored hacking group, known as APT31, that targeted the email accounts of more than 40 UK parliamentarians who had spoken out against China.
The Foreign, Commonwealth and Development Office summoned the Chinese ambassador to the UK to answer questions about the hacks in March 2024.
Remedial steps
The Electoral Commission said it had taken a series of remedial steps following the incident, including implementing a technology modernisation plan and introducing a managed infrastructure support service.
The Electoral Commission has also implemented services to monitor servers, firewalls and internet traffic, and to support threat and vulnerability programmes.
In addition, it has introduced password policy controls in Microsoft’s Active Directory and implemented multifactor authentication (MFA) for all users.
Information commissioner Bonner said that although an unacceptably high number of people were affected by the hack, the ICO had no reason to believe any personal data had been misused and there was no evidence that “direct harm” had been caused by the breach.
A spokesman for the Electoral Commission said: “We regret that sufficient protections were not in place to prevent the cyber attack on the commission. Since the cyber attack, security and data protection experts – including the ICO, National Cyber Security Centre and third-party specialists – have carefully examined the security measures we have put in place and these measures command their confidence.”