British Voters Wide Open To Attack

Uploaded on 2023-09-11 in GOVERNMENT-National, FREE TO VIEW, TECHNOLOGY--Hackers

Britain’s natonal Electoral Commission faced significant cyber security failings shortly before a major data breach, where hackers potentially accessed the data of millions of voters, including sensitive information not available on public registers. Now the UK’s Electoral Commission itself has confirmed it failed a basic cyber security test at about the same time some hackers attacked the organisation.

This follows previous warnings that the UK’s Election Commission had failed the Cyber Essentials test in multiple areas, including the use of outdated and vulnerable devices and software.

The unnamed attackers accessed Electoral Commission email correspondence and could have viewed databases containing the names and addresses of 40 million registered voters, including millions of those not on public registers.

The Commission has said that "hostile actors" hacked into its emails and potentially the data of 40 million voters.
The hackers obtained the “name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.” Government officials pointed the finger of blame at Russia with Sir David Omand, a former director of GCHQ, reported as saying that Russia was the prime suspect.

The Commission has now determined that the attack started in August 2021, although it was not detected until October 2022. The commission has since disclosed that it did not pass the test due to two issues which it contends are unrelated to the hack:

  • An earlier version of Windows software found running on some Commission laptops 
  • An outdated version of operating system software on staff mobiles.

It said these problems were not linked to the attack, which affected the organisation’s email servers.

Cyber Essentials is voluntary but widely used by organisations as a way to show customers they are security-aware. The government requires all suppliers bidding for contracts involving the handling of certain sensitive and personal information to hold an up-to-date Cyber Essentials certificate. But the Commission failed in multiple areas when it tried to get certified in 2021.

When the hack was first disclosed, the Electoral Commission said that the data hacked from the full electoral register was "largely in the public domain". However, less than half the data on the open register, which can be purchased, is publicly available, so the hackers would have accessed data belonging to tens of millions of people who opted out of the public list.

Cyber Essentials is a standard that UK government requires of all suppliers, however, it was originally created to help small businesses, not large corporates.

Electoral Commission:    Safety Detectives:     BBC:      Guardian:       Silicon:    CSO OnlineComputer Weekly

Cybernews:      

You Might Also Read: 

Penetration Testing For An Effective Cyber Security Defence:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Red Teaming Is More Relevant Than Ever
The Security Aspects Of Open Banking »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

RSA Security

RSA Security

RSA provide cybersecurity products for Threat Detection and Response, Identity and Access Management, Governance, Risk and Compliance, and Fraud Prevention.

Abusix

Abusix

Abusix specializes in Internet security, network abuse handling, antispam and fraud prevention.

Cyberteq

Cyberteq

Cyberteq is an innovative Information and Communication Technology Consulting Company, enabling it’s customers to take full advantage of the latest technologies in a secure manner.

Swiss Cyber Think Tank (SCTT)

Swiss Cyber Think Tank (SCTT)

The Swiss Cyber Think Tank is a business network for Cyber Risk & Insurability, providing an industry-wide networking platform for insurers, technology and security firms.

Zeusmark

Zeusmark

Zeusmark are a digital brand security company. We enable companies to successfully defend their brands, revenue and consumers online.

Cyber Intelligence 4U

Cyber Intelligence 4U

Cyber Intelligence 4U is an educational services company that provides two levels of cybersecurity training programs: executive and technical.

Nexum

Nexum

Nexum takes a comprehensive approach to security, from detecting and preventing network threats, to equipping you with the information, tools and training you need to effectively manage IT risk.

Yogosha

Yogosha

Yogosha is a crowdsourced cybersecurity platform enabling a win-win collaboration with the most talented hackers to detect and fix vulnerabilities on your most critical systems.

Mage Data

Mage Data

Mage (formerly Mentis Software) is a leading solutions provider for data security and data privacy software for global enterprises.

Protectt.ai Labs

Protectt.ai Labs

Protectt.ai Labs is India’s first mobile security start up building awareness & providing solutions for mobile app, device & transaction security.

Obrela Security Industries

Obrela Security Industries

Obrela provides security analytics and risk management services to identify, analyze, predict and prevent highly sophisticated security threats in real time.

CipherStash

CipherStash

CipherStash is a complete data governance and breach prevention platform.

SPIE Switzerland

SPIE Switzerland

SPIE Switzerland AG, a subsidiary of the SPIE Group, is a Swiss full-service provider of ICT, multi-technical and integral facility services.

LeakSignal

LeakSignal

At LeakSignal, we transform the way you monitor and protect your data. We provide unparalleled visibility and control over your sensitive data flows.

Arctera

Arctera

Arctera simplifies data management to keep you secure. Our company operates as three units - Data Compliance, Data Resilience, and Data Protection.

Exaforce

Exaforce

At Exaforce, we are on a mission to 10× improve the productivity and efficacy of security and operations teams using our transformative multi-model AI engine.