ICO reprimands Electoral Commission over significant data security failures

The UK Information Commissioner’s Office has issued a reprimand to the Electoral Commission for failing to protect residents’ personal information during a 2021 cyber attack.

 

In August 2021, the Electoral Commission suffered a data security incident where threat actors infiltrated its internal server “which held our email, our control systems, and copies of the electoral registers.”

 

Recently, in a statement shared with the media, the Information Commissioner’s Office said that its investigation into the data security incident has revealed that the “Electoral Commission did not have appropriate security measures in place to protect the personal information it held.”

 

“It did not ensure its servers were kept up to date with the latest security updates. The security patches for the vulnerabilities exploited in the cyber attack were released in April and May 2021, months before the attack.

 

“The Electoral Commission also did not have sufficient password policies in place at the time of the attack, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk,” the information watchdog said.

 

In a statement, Deputy Commissioner at the ICO Stephen Bonner, said, “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands.

 

“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.”

 

The Electoral Commission said in its published response to the ICO’s reprimand that it has taken various steps to strengthen data security and will continue to invest to make its systems more resilient to cyber attacks.

 

“We regret that sufficient protections were not in place to prevent the cyber-attack on the Commission,” the Commission said. “Since the cyber-attack, security and data protection experts – including the ICO, National Cyber Security Centre and third-party specialists – have carefully examined the security measures we have put in place and these measures command their confidence.

 

“We will continue to ensure our cyber security keeps pace with emerging threats, and remain vigilant to the risks facing our electoral processes and institutions. We will continue to work with the UK’s governments and the wider electoral community to safeguard the safety of the system,” it added.