Personal details of millions of UK voters were left “vulnerable to hackers” because passwords were not changed and software not updated, the UK’s data privacy watchdog has found.
The Electoral Commission, which oversees UK elections, has been formally reprimanded by the Information Commissioners Office (ICO) over the security lapse.
Beginning in August 2021 cyber-attackers were able to access computers containing the Electoral Registers, which hold details of voters including millions of those not available publicly.
The Electoral Commission said it regretted that sufficient protections were not in place to prevent the cyber-attack.
“As the ICO has noted and welcomed, since the attack we have made changes to our approach, systems, and processes to strengthen the security and resilience of our systems and will continue to invest in this area,” it said in a statement.
The investigation did not find any evidence that personal data was misused, or that any direct harm has been caused by the attack.
The ICO said hackers had access to the Electoral Commissions’ systems for over a year.
It was only spotted when an employee reported that spam emails were being sent from the commission’s own email server.
The hackers were eventually booted out in 2022.
The UK government has formally accused China of being behind the attack on the commission, claims the Chinese embassy rejected as “malicious slander”.
The ICO’s investigation found the Electoral Commission did not have appropriate security measures in place to protect the personal information it held.
To carry out the attack, hackers impersonated a legitimate user account and exploited a number of publicly known security weaknesses in software used by the commission.
Software updates which fixed these security holes had been available for months before the attack, but the Electoral Commission had failed to apply them.
The commission also did not have an “appropriate” policy in place to ensure employees were using secure passwords.
Investigators found 178 active email accounts were still using passwords identical or similar to those set by the organisation’s IT service desk when an account was created or reset.
ICO deputy commissioner Stephen Bonner said if the Electoral Commission had “taken basic steps” to protect its systems, it was “highly likely” the data breach would not have happened.
“By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers,” he said.