The UK’s Electoral Fee has admitted to failing a vital cybersecurity check on the identical time that hackers breached its programs, compromising the info of 40 million voters.
A whistleblower revealed to the BBC the Fee acquired an automated failure throughout a Cyber Necessities audit.
The breach, which occurred between August 2021 and October 2022, allowed unauthorized entry to e mail correspondence and delicate voter databases. The breach methodology and the perpetrators stay unidentified.
Notably, the Fee’s cybersecurity deficiencies, highlighted by its failed audit, probably contributed to the breach. Auditors cited outdated software program on round 200 employees laptops and the usage of unsupported iPhones as key causes for the failed check.
These revelations increase considerations in regards to the Fee’s cybersecurity readiness, particularly as the federal government mandates Cyber Necessities certification for suppliers dealing with delicate knowledge.
The UK’s Data Commissioner’s Workplace (ICO) stated he’s urgently investigating the implications of the breach for knowledge privateness and safety.
Read more about the breach: UK Voters’ Data Exposed in Electoral Commission Cyber-Attack
Whereas the Fee initially downplayed the importance of the breach, saying it was “largely within the public area,” it impacted knowledge belonging to tens of millions who had opted out of public registers.
“Whereas we can’t be sure of their motive, what they discovered, or what the attacker was really searching for, on this occasion, the attackers had entry to the electoral programs for a variety of months, indicating they have been looking for one thing aside from fast monetary acquire, which is the commonest motive of assaults,” defined Andrew Rose, resident CISO at Proofpoint.
“The longer an attacker stays undetected in a community – the extra harm they will do. This breach serves as a stark reminder to all private and non-private organizations to take swift motion to bolster their cyber defenses, making it more durable for criminals to get into their programs within the first place and thus stopping this from taking place once more.”
Surprisingly, the Fee didn’t reapply for Cyber Necessities certification in 2022, however stated it stays dedicated to enhancing its cybersecurity measures in collaboration with the Nationwide Cyber Safety Centre (NCSC). Investigations into the breach proceed.
