Millions of UK voters' data exposed: Electoral Commission reprimanded over cybersecurity lapse

by Aj Wilson, Rosie Sherry | Read post on Ministry of Testing

A wake-up call for software testers

The UK's data privacy watchdog has issued a formal reprimand to the Electoral Commission following revelations that millions of UK voters' personal details were left exposed to hackers due to outdated software and unchanged passwords. The Information Commissioner's Office (ICO) uncovered that cyber-attackers accessed the Electoral Registers, containing sensitive voter information, from August 2021 until they were expelled in 2022.?

So what? This breach underscores the urgent need for effective security testing. Unauthorised access to voter data, including personal information like names and addresses, has potentially compromised the integrity of electoral systems.

• Beginning in August 2021 cyber-attackers were able to access computers containing the Electoral Registers
• It was only spotted when an employee reported that spam emails were being sent from the commission's own email server
• The hack was resolved in 2022
• Software updates which fixed the security holes had been available for months before the attack, but the?Electoral Commission had failed to apply them.
• The EC did not have an "appropriate" policy in place to ensure employees were using secure passwords.
• This unauthorised access to voter data, included personal information like names and addresses
• This data included details of 40 million voters, majority of data not available publicly
• This attack has potentially compromised the integrity of electoral systems
• The data accessed when this attack took place does not impact how people register, vote, or participate in democratic processes
• It has has no impact on the management of the electoral registers or on the running of elections
• The?UK EC released a statement today, 30th July, stating? “it regretted that sufficient protections were not in place to prevent the cyber-attack.”
• The current Information Commissioner's Office (ICO) deputy commissioner has confirmed it could have been prevented
• The Electoral Commission has since committed to enhancing its cybersecurity protocols to prevent future attacks.

Why bother? The ICO have various powers to take action for a breach of the UK GDPR or DPA (2018). Tools at their disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, they have the power to issue fines of up to ￡17.5 million or 4% of your annual worldwide turnover, whichever is higher.

The ICO also work with the National Cyber Security Centre, in their role as a NIS competent authority, and in the immediate response phase to cyber-attacks which lead to breaches of personal data.

Yet somehow, a statement on this was not released by the ICO until 08 August 2023. Despite the issue being “resolved in 2022”.?

As voters, personal information is an important part of political campaigning - it allows political parties to get crucial messages to voters and helps them to understand the key issues for different people. In May 2023 John Edwards, the Information Commissioner wrote to political parties reminding them of their data protection obligations. But why were the general public not made aware, was this in the news for all to hear? Could we have been swayed if a political party was using profiling techniques? Could China have caused a result to infer gain? If the ICO takes action against organisations for "risking public trust" by failing to respond to public requests for information or allowing hacks with poor process - how does that work with our own Government? A formal reprimand is not enough.?

What's more…as software testing professionals there are always lessons to be learned.

Importance of Rigorous Security Testing:

• Remember - these breaches always affect people?
• Regularly perform comprehensive security assessments to identify vulnerabilities
• Use both automated and manual penetration testing to discover potential weaknesses
• This can all be done from the design stage

Data Protection Protocols:

• Ensure sensitive data is encrypted both at rest and in transit
• Keep systems updated and patched to defend against known exploits

Incident Response Planning:

• Develop and maintain an incident response plan to quickly address breaches
• Conduct drills with your teams to ensure readiness and efficiency in handling actual incidents

Compliance and Good Practices:

• Stay informed about industry standards and best practices for Cybersecurity
• Ensure compliance with relevant regulations, such as GDPR, to protect user data

Be Prepared:

• If you don’t know anything about security testing yet, dip your toe in the water
• Get informed about Threat Modelling, OWASP
• Try basic Security Testing your API with good tools
• Ensure compliance with relevant regulations, such as GDPR, to protect user data
• Use our Security Collection to get you started or refresh your knowledge

This breach serves as a crucial reminder for software testers to prioritise security in their testing processes, to make sure we are using our “Testing Toolbox” items like Risk Storming, our Oracle knowledge and Heuristics. Proactive and thorough security measures are essential to safeguard sensitive information and maintain trust in digital systems.

Resources

• Ministry of Testing Security Collection
• Information Commissioner's Office - The ICO is the independent supervisory authority for data protection in the UK
• ICO Voter hacking Statement
• Poor security let hackers access 40 million voters' details - BBC News
• Photo by Steve Houghton-Burnett on Unsplash