The Information Commissioner’s Office (ICO) has reprimanded the Electoral Commission for security errors that allowed hackers tied to the Chinese state to access servers containing the personal information of 40 million people.
The hackers breached the Electoral Commission’s Microsoft Exchange Server by exploiting known vulnerabilities that were left unpatched. This cyber attack, which went undetected for a year, compromised personal details from the electoral register, including names and addresses of voters from 2014 to 2022 and information from overseas voters.
Former Conservative deputy prime minister Oliver Dowden revealed in March 2024 that Chinese state-linked hacking groups were likely responsible for the breach. In a separate incident, Chinese hackers targeted the email accounts of 40 UK parliamentarians who criticized China.
The ICO report criticized the Electoral Commission for failing to patch security vulnerabilities and implement strong password policies. If the Commission had taken basic security precautions, such as prompt patching and password management, the breach could have been prevented.
The hackers exploited the ProxyShell vulnerability chain to access the unpatched Exchange Server. The Electoral Commission’s inadequate password management also contributed to the breach, with many users using easily-crackable or similar passwords provided by the service desk.
Despite the breach affecting a significant number of people, the ICO found no evidence of personal data misuse or direct harm caused. The Electoral Commission has since implemented remedial measures, including a technology modernization plan, monitoring services, and improved password policies and multi-factor authentication for users. Third-party security experts have reviewed and approved these measures.