The Electoral Commission revealed that it failed a fundamental cyber-security test around the time hackers gained access to the organization.

According to a whistleblower, the Commission received an automatic fail during a Cyber Essentials audit.

The Commission said last month that “hostile actors” had accessed its emails and potentially the data of 40 million voters.

According to a spokesperson, the Commission has yet to pass the basic criteria.

The electoral watchdog announced in August that hackers breached their IT systems in August 2021, gaining access to critical data until they were identified and deleted in October 2022.

The unidentified intruders had access to Electoral Commission email communication and might have read databases including the names and addresses of 40 million registered voters, including millions who were not on public voter rolls.

It is still unknown who carried out the incursion or how the commission was violated.

However, a whistleblower has revealed that the Commission was told by cyber-security auditors in the same month that hackers were breaking into the organization that it was not compliant with the Cyber Essentials scheme – a system backed by the government to help organizations achieve minimum best practice in cyber-security.

Cyber Essentials is a voluntary program that many businesses use to demonstrate to customers that they are security-conscious.

All providers competing on contracts requiring the handling of certain sensitive and personal information are required by the government to have an up-to-date Cyber Essentials accreditation.

However, when the Commission attempted to be certified in 2021, it failed in several areas.

The Commission’s spokeswoman acknowledged the flaws, but claimed they were unrelated to the cyber-attack that affected email systems.

One of the reasons it failed the test was because approximately 200 staff laptops were running outdated and potentially insecure software.

The Commission was asked to update the Windows 10 Enterprise operating system, which had been out of date in terms of security updates months before.

Auditors also issued the failure because personnel were receiving security updates on obsolete iPhones that were no longer supported by Apple.

A cyber-attack on election registrations has been revealed.
Hackers claim they do not have BBC, Boots, or BA data.
The National Cyber Security Centre (NCSC), which supports the Cyber Essentials scheme, recommends that all organizations keep their software up to date in order “to prevent known vulnerabilities from being exploited” by hackers.

Daniel Card, a cyber-security consultant who has assisted numerous organizations in becoming Cyber Essentials compliant, believes it is too early to assess whether the flaws highlighted in the audit allowed hackers to get access.

“Early indications suggest that the hackers gained access to the email servers in another way, but there’s a chance that the chain of attack included one or more of these poorly-secured devices,” he said.

Whether or not the hackers did it, “it paints a picture of a weak posture and a possible failure to govern and manage,” he added.

According to the NCSC, being “vulnerable to basic attacks can mark you out as a target for more in-depth unwanted attention from cyber-criminals and others.”

The UK’s Information Commissioner’s Office, which has certified Cyber Essentials and Cyber Essentials Plus, stated that the cyber-attack was being investigated as soon as possible.

The Electoral Commission stated after the attack was reported that the data hacked from the entire electoral register was “largely in the public domain.”

However, because less than half of the data on the open register that can be purchased is publicly available, the hackers would have had access to information belonging to tens of millions of people who opted out of the public list.

According to the Electoral Commission, it did not apply for Cyber Essentials in 2022.

“We are always working to improve our cyber-security and systems, and we draw on the expertise of the National Cyber Security Centre – as many public bodies do – to continue to develop and progress protections against cyber-threats,” it said in a statement.