Electoral Commission Attack – Failed to Pass Basic Security Test

The Electoral Commission was recently the target of a cyber-attack.

It has since revealed that it failed to pass a basic security test before the hack took place. The BBC was told by a whistleblower that the Commission was given an automatic fail during a Cyber Essentials audit. The Commission has still not passed this basic test.

Last month the commission announced that hackers had gained access to their systems two years prior and had taken sensitive data. The hackers were not discovered until October of 2022 and were then removed from the systems. These hackers remain unnamed; however, they gained access to the Commission’s emails and would have been able to look at data that included the names and addresses of 40 million voters. Millions of these are not available on public registers.

We still don’t know who carried out this attack or how they gained access to the Commission’s systems.

Around the time of the breach taking place, the Commission was told by Cybersecurity auditors that it did not comply with Cyber Essentials.

Learn more about how you can get certified and adhere to the Cyber Essentials guidelines here.

Cyber Essentials is a government-backed scheme, used to help organisations achieve the minimum best practices within Cybersecurity. Although Cyber Essentials is voluntary, it is widely used by companies to show customers that they are safe and security aware. The government requires any and all suppliers bidding for contracts that involve accessing and handling sensitive information to have an up-to-date Cyber Essentials certificate.

However, the Commission failed in multiple areas when getting certified in 2021, when the attack took place. The Commission’s spokeswoman revealed the failings but claimed that they were not linked to the attack. One of the reasons it failed to pass was due to around 200 staff machines running obsolete and software that is potentially insecure.

The Commission was running Windows 10 Enterprise which had security updates stopped a few months earlier. The audit also found that staff were using old iPhones that were also no longer receiving security updates from Apple.

The NCSC (National Cyber Security Centre), which backs Cyber Essentials, advised all organisations to keep their software up to date “to prevent known vulnerabilities from being exploited” by attackers.

Daniel Card, a Cybersecurity consultant, has been an important part in helping many companies become compliant with Cyber Essentials.

He says that, at the moment, it is too early to tell whether the failures in the Commission’s Cybersecurity audit were what allowed the attackers to breach the system.

“Early indications are that the hackers managed to get into the email servers a different way, but there’s a chance that the chain of attack may have included one or more of these poorly- secured devices,” he continued.

Card added, “it builds a picture of a weak posture and a probable failure to govern and manage”.

“vulnerability to basic attacks can mark you out as a target for more in-depth unwanted attention from cyber-criminals and others”

NCSC regarding Cyber Essentials

The Information Commissioner’s Office in the UK has passed Cyber Essentials and Cyber Essentials Plus.

They are currently investigating the attack on the Electoral Commission.

When the attack was announced by the Electoral Commission, they said the data that was accessed was “largely in the public domain”. However, less than 50% of the data on the open register is publicly available. So, the hackers would have gained access to data that belongs to tens of millions who opted out of the public list.

The Electoral Commission said it didn’t apply for Cyber Essentials last year.

The Commission said in a statement, “We are always working to improve our cybersecurity and systems and draw on the expertise of the National Cyber Security Centre – as many public bodies do – to continue to develop and progress protections against cyber threats,”.

If this story highlights anything, it’s that a proactive approach to cybersecurity is not just a luxury, but a necessity. The recent cyber-attack on the Electoral Commission underscores the grave consequences of being ill-prepared. Had the Commission partnered with a Managed Service Provider (MSP), like Itek, that prioritized cybersecurity and the up-to-date standards set by Cyber Essentials, many of the vulnerabilities exploited might have been mitigated.