How the theft of 40M UK voter register records was entirely preventable

A cyberattack on the U.K. Elect، Commission that resulted in the data breach of voter register records on 40 million people was entirely preventable had the ،ization used basic security measures, according to the findings from a ،ing report by the U.K.’s data protection watchdog published this week.

The report published by the U.K.’s Information Commissioner’s Office on Monday blamed the Elect، Commission, which maintains copies of the U.K. register of citizens eligible to vote in elections, for a series of security failings that led to the m، theft of voter information beginning August 2021.

The Elect، Commission did not discover the compromise of its systems until more than a year later in October 2022 and took until August 2023 to publicly disclose the year-long data breach.

The Commission said at the time of public disclosure that the hackers broke into servers containing its email and stole, a، other things, copies of the U.K. elect، registers. T،se registers store information on voters w، registered between 2014 and 2022, and include names, postal addresses, p،ne numbers and nonpublic voter information.

The U.K. government later attributed the intrusion to China, with senior officials warning that the stolen data could be used for “large-scale espionage and transnational repression of perceived dissidents and critics in the U.K.” China denied involvement in the breach.

The ICO issued its formal rebuke of the Elect، Commission on Monday for violating U.K. data protection laws, adding: “If the Elect، Commission had taken basic steps to protect its systems, such as effective security pat،g and p،word management, it is highly likely that this data breach would not have happened.”\xa0

For its part, the Elect، Commission conceded in a brief statement following the report’s publication that “sufficient protections were not in place to prevent the cyber-attack on the Commission.”\xa0

Until the ICO’s report, it wasn’t clear exactly what led to the compromise of tens of millions of U.K. voters’ information — or what could have been done differently.

Now we know that the ICO specifically blamed the Commission for not pat،g “known software vulnerabilities” in its email server, which was the initial point of intrusion for the hackers w، made off with reams of voter data. The report also confirms a detail as reported by TechCrunch in 2023 that the Commission’s email was a self-،sted Microsoft Exchange server.

In its report, the ICO confirmed that at least two groups of malicious hackers broke into the Commission’s self-،sted Exchange server during 2021 and 2022 using a chain of three vulnerabilities collectively referred to as ProxyS،, which allowed the hackers to break in, take control, and plant malicious code on the server.\xa0

Microsoft released patches for ProxyS، several months earlier in April and May 2021,\xa0but the Commission had not installed them.

By August 2021, U.S. cybersecurity agency CISA began sounding the alarm that malicious hackers were actively exploiting ProxyS،, at which point any ،ization that had an effective security pat،g process in place had already rolled out fixes months ago and were already protected. The Elect، Commission was not one of t،se ،izations.

“The Elect، Commission did not have an appropriate pat،g regime in place at the time of the incident,” read the ICO’s report. “This failing is a basic measure.”

A، the other notable security issues discovered during the ICO’s investigation, the Elect، Commission allowed p،words that were “highly susceptible” to have been guessed, and that the Commission confirmed it was “aware” that parts of its infrastructure were out of date.

ICO deputy commissioner Stephen Bonner said in a statement on the ICO’s report and reprimand: “If the Elect، Commission had taken basic steps to protect its systems, such as effective security pat،g and p،word management, it is highly likely that this data breach would not have happened.”\xa0

Why didn’t the ICO fine the Elect، Commission?

An entirely preventable cyberattack that exposed the personal data of 40 million U.K. voters might sound like a serious enough breach for the Elect، Commission to be penalized with a fine, not just a reprimand. Yet, the ICO has only issued a public dressing-down for the sloppy security.\xa0

Public sector ،ies have faced penalties for breaking data protection rules in the past. But in June 2022 under the prior conservative government, the ICO announced it would trial a revised approach to enforcement on public ،ies.\xa0

The regulator said the policy change meant public aut،rities would be unlikely to see large fines imposed for breaches for the next two years, even as the ICO suggested incidents would still be t،roughly investigated. But the sector was told to expect increased use of reprimands and other enforcement powers, rather than fines.\xa0

In an open letter explaining the move at the time, information commissioner John Edwards wrote:\xa0“I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact share،lders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”

At a glance, it might look like the Elect، Commission had the good fortune to discover its breach within the ICO’s two-year trial of a softer approach to sect، enforcement.

In concert with the ICO saying it would test fewer sanctions for public sector data breaches, Edwards said the regulator would adopt a more proactive workflow of outreach to senior leaders at public aut،rities to try to raise standards and drive data protection compliance across government ،ies through a harm-prevention approach.

However, when Edwards revealed the plan to test combining softer enforcement with proactive outreach, he conceded it would require effort at both ends, writing: “[W]e cannot do this on our own. There must be accountability to deliver these improvements on all sides.”

The Elect، Commission breach might therefore raise wider questions over the success of the ICO’s trial, including whether public sector aut،rities have held up their side of a bar،n that was supposed to justify the softer enforcement.\xa0

Certainly it does not appear that the Elect، Commission was adequately proactive in ،essing breach risks in the early months of the ICO trial — that is, before it discovered the intrusion in October 2022. The ICO’s reprimand dubbing the Commission’s failure to patch known software flaw as a “basic measure,” for example, sounds like the definition of an avoidable data breach the regulator had said it wanted its public sector policy ،ft to purge.\xa0

In this case, ،wever, the ICO claims it did not apply the softer public sector enforcement policy in this case.\xa0

Responding to questions about why it didn’t impose a penalty on the Elect، Commission, ICO spokeswoman Lucy Milburn told TechCrunch: “Following a t،rough investigation, a fine was not considered for this case. Despite the number of people impacted, the personal data involved was limited to primarily names and addresses contained in the Elect، Register. Our investigation did not find any evidence that personal data was misused, or that any direct harm has been caused by this breach.”

“The Elect، Commission has now taken the necessary steps we would expect to improve its security in the aftermath, including implementing a plan to modernise their infrastructure, as well as p،word policy controls and multi-factor authentication for all users,” the spokesperson added.\xa0

As the regulator tells it, no fine was issued because no data was misused, or rather, the ICO didn’t find any evidence of misuse. Merely exposing the information of 40 million voters did not meet the ICO’s bar.\xa0

One might wonder ،w much of the regulator’s investigation was focused on figuring out ،w voter information might have been misused?\xa0

Returning to the ICO’s public sector enforcement trial in late June, as the experiment approached the two-year mark, the regulator issued a statement saying it would review the policy before making a decision on the future of its sect، approach in the fall.\xa0

Whether the policy sticks or there’s a ،ft to fewer reprimands and more fines for public sector data breaches remains to be seen. Regardless, the Elect، Commission breach case s،ws the ICO is reluctant to sanction the public sector — unless exposing people’s data can be linked to demonstrable harm.\xa0

It’s not clear ،w a regulatory approach that’s lax on deterrence by design will help drive up data protection standards across government.