British Voters Wide Open To Attack

Uploaded on 2023-09-11 in GOVERNMENT-National, FREE TO VIEW, TECHNOLOGY--Hackers

Britain’s natonal Electoral Commission faced significant cyber security failings shortly before a major data breach, where hackers potentially accessed the data of millions of voters, including sensitive information not available on public registers. Now the UK’s Electoral Commission itself has confirmed it failed a basic cyber security test at about the same time some hackers attacked the organisation.

This follows previous warnings that the UK’s Election Commission had failed the Cyber Essentials test in multiple areas, including the use of outdated and vulnerable devices and software.

The unnamed attackers accessed Electoral Commission email correspondence and could have viewed databases containing the names and addresses of 40 million registered voters, including millions of those not on public registers.

The Commission has said that "hostile actors" hacked into its emails and potentially the data of 40 million voters.
The hackers obtained the “name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.” Government officials pointed the finger of blame at Russia with Sir David Omand, a former director of GCHQ, reported as saying that Russia was the prime suspect.

The Commission has now determined that the attack started in August 2021, although it was not detected until October 2022. The commission has since disclosed that it did not pass the test due to two issues which it contends are unrelated to the hack:

  • An earlier version of Windows software found running on some Commission laptops 
  • An outdated version of operating system software on staff mobiles.

It said these problems were not linked to the attack, which affected the organisation’s email servers.

Cyber Essentials is voluntary but widely used by organisations as a way to show customers they are security-aware. The government requires all suppliers bidding for contracts involving the handling of certain sensitive and personal information to hold an up-to-date Cyber Essentials certificate. But the Commission failed in multiple areas when it tried to get certified in 2021.

When the hack was first disclosed, the Electoral Commission said that the data hacked from the full electoral register was "largely in the public domain". However, less than half the data on the open register, which can be purchased, is publicly available, so the hackers would have accessed data belonging to tens of millions of people who opted out of the public list.

Cyber Essentials is a standard that UK government requires of all suppliers, however, it was originally created to help small businesses, not large corporates.

Electoral Commission:    Safety Detectives:     BBC:      Guardian:       Silicon:    CSO OnlineComputer Weekly

Cybernews:      

You Might Also Read: 

Penetration Testing For An Effective Cyber Security Defence:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Red Teaming Is More Relevant Than Ever
The Security Aspects Of Open Banking »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Redscan Cyber Security

Redscan Cyber Security

Redscan Cyber Security is a Managed Security Services Provider (MSSP) that enables businesses to effectively manage their information security risks.

Information Security Research Group - University of South Wales

Information Security Research Group - University of South Wales

The Information Security Research Group has an international reputation in the areas of network security, computer forensics and threat analysis.

Operational Center for Information Systems Security (COSSI)

Operational Center for Information Systems Security (COSSI)

COSSI is responsible for the detection and mitigation of cyber attacks directed at French Government information systems.

Tempest

Tempest

TEMPEST is a leading provider of IT products and services including solutions for network and application security.

AnChain.AI

AnChain.AI

AnChain.AI's analytics platform proactively protects crypto assets by providing proprietary artificial intelligence, knowledge graphs, and threat intelligence on blockchain transactions.

RIT Global Cybersecurity Institute

RIT Global Cybersecurity Institute

At RIT's Global Cybersecurity Institute, we educate and train cybersecurity professionals; develop new cybersecurity and AI-based knowledge for industry, academia, and government.

Syber Technology

Syber Technology

Syber Technology is an IT project implementer empowering IT systems of Small to Medium Enterprises in the Middle East.

Qrator Labs

Qrator Labs

Qrator Labs is a leader in DDoS attack mitigation, helping organizations protect their websites from the most harmful, sophisticated DDoS attacks.

Tetra Tech

Tetra Tech

Tetra Tech is a cybersecurity leader with extensive experience in supporting enterprise-wide programs and systems across multiple business lines from industrial control systems to health IT.

FirstWave Cloud Technology

FirstWave Cloud Technology

FirstWave Cloud Technology is a global cyber security company which has been delivering Cybersecurity-as-a-service solutions to the market since 2004.

Datenschutz Schmidt

Datenschutz Schmidt

Datenschutz Schmidt is a service provider with many years of experience, we support you in complying with numerous data protection guidelines, requirements and laws.

Conquest Cyber

Conquest Cyber

Conquest Cyber builds adaptive risk management programs where innovation is most needed – within defense, intelligence, federal civilian agencies and the industrial base that supports them.

Wickr

Wickr

Wickr's mission is to secure the world's most critical communications. Wickr provides the highest standard of encryption trusted by millions worldwide.

Ministry of Electronics & Information Technology (MeitY)

Ministry of Electronics & Information Technology (MeitY)

The Ministry of Electronics & Information Technology is an executive agency responsible for IT policy, strategy and development of the electronics industry.

Block Harbor Cybersecurity

Block Harbor Cybersecurity

Block Harbor has worked closely with automakers, suppliers, and regulators since 2014 on vehicle cybersecurity.

Zeron

Zeron

Zeron build bridges between security teams and top management. Our platform unifies your cyber risk posture seamlessly, encompassing threat insights and quantifiable risk scenarios.