British Voters Wide Open To Attack

Britain’s natonal Electoral Commission faced significant cyber security failings shortly before a major data breach, where hackers potentially accessed the data of millions of voters, including sensitive information not available on public registers. Now the UK’s Electoral Commission itself has confirmed it failed a basic cyber security test at about the same time some hackers attacked the organisation.

This follows previous warnings that the UK’s Election Commission had failed the Cyber Essentials test in multiple areas, including the use of outdated and vulnerable devices and software.

The unnamed attackers accessed Electoral Commission email correspondence and could have viewed databases containing the names and addresses of 40 million registered voters, including millions of those not on public registers.

The Commission has said that "hostile actors" hacked into its emails and potentially the data of 40 million voters.
The hackers obtained the “name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.” Government officials pointed the finger of blame at Russia with Sir David Omand, a former director of GCHQ, reported as saying that Russia was the prime suspect.

The Commission has now determined that the attack started in August 2021, although it was not detected until October 2022. The commission has since disclosed that it did not pass the test due to two issues which it contends are unrelated to the hack:

  • An earlier version of Windows software found running on some Commission laptops 
  • An outdated version of operating system software on staff mobiles.

It said these problems were not linked to the attack, which affected the organisation’s email servers.

Cyber Essentials is voluntary but widely used by organisations as a way to show customers they are security-aware. The government requires all suppliers bidding for contracts involving the handling of certain sensitive and personal information to hold an up-to-date Cyber Essentials certificate. But the Commission failed in multiple areas when it tried to get certified in 2021.

When the hack was first disclosed, the Electoral Commission said that the data hacked from the full electoral register was "largely in the public domain". However, less than half the data on the open register, which can be purchased, is publicly available, so the hackers would have accessed data belonging to tens of millions of people who opted out of the public list.

Cyber Essentials is a standard that UK government requires of all suppliers, however, it was originally created to help small businesses, not large corporates.

Electoral Commission:    Safety Detectives:     BBC:      Guardian:       Silicon:    CSO OnlineComputer Weekly

Cybernews:      

You Might Also Read: 

Penetration Testing For An Effective Cyber Security Defence:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Red Teaming Is More Relevant Than Ever
The Security Aspects Of Open Banking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

AV Test

AV Test

The AV-TEST Institute is a leading international and independent service provider in the fields of anti-virus research and IT security.

Intelligence-sec

Intelligence-sec

Intelligence-Sec is a fully integrated Conferences and Exhibitions Company managing and producing topical events for the security industry.

Cyber Technology Institute - De Montfort University

Cyber Technology Institute - De Montfort University

The Cyber Technology Institute provides training and high quality research and consultancy services in the fields of cyber security, software engineering and digital forensics.

Qolcom

Qolcom

Qolcom is a leading UK based integrator of secure wireless network and mobile device management solutions.

Baffin Bay Networks

Baffin Bay Networks

Baffin Bay Networks operates globally distributed Threat Protection Centers™, offering DDoS protection, Web Application Protection and Threat Inspection.

XM Cyber

XM Cyber

XM Cyber is a leading hybrid cloud security company that’s changing the way innovative organizations approach cyber risk.

SIS Certifications (SIS CERT)

SIS Certifications (SIS CERT)

SIS Certifications is an ISO certification body serving more than 10,000 clients in over 15 countries worldwide.

SOC.OS Cyber Security

SOC.OS Cyber Security

SOC.OS is an alert correlation and triage automation tool. It correlates and prioritises your alerts, boosting productivity, enhancing threat visibility and shortening mean time to respond.

Network Intelligence

Network Intelligence

Network Intelligence are a global cybersecurity provider offering services across 6 broad spectrums - Assessment, BCMS, GRC, Professional Services, MSSP & Training.

Axis Security

Axis Security

Axis Security technologies transform open networks and vulnerable applications into fully protected resources that the business can trust.

Secmation

Secmation

Secmation are an agile engineering services firm providing advanced DoD level security design and consultation services for both commercial and defense hardware and software applications.

Secret Intelligence Service (SIS - MI6)

Secret Intelligence Service (SIS - MI6)

The UK’s Secret Intelligence Service, also known as MI6, has three core aims: stopping terrorism, disrupting the activity of hostile states, and giving the UK a cyber advantage.

PSafe

PSafe

PSafe is a leading provider of mobile privacy, security, and performance apps. We deliver innovative products that protect your freedom to safely connect, share, play, express and explore online.

Mindsprint

Mindsprint

Mindsprint (formerly Olam Technology and Business Services - OTBS) are a leading edge technology and business services firm.

Zluri

Zluri

Zluri is a cloud-native SaaSOps platform enabling modern enterprises with SaaS Management and Identity Governance.

US Cyber Games

US Cyber Games

US Cyber Games is committed to inform and inspire the broader community on ways to develop tomorrow’s cybersecurity workforce.