Electoral Commission failed basic security test before hack
Around the same time hackers gained access to the Electoral Commission, it failed a basic cyber-security test.
During an audit of Cyber Essentials, a whistleblower told the BBC that the Commission got an automatic fail.
It was revealed last month that “hostile actors” gained access to the Commission’s emails and perhaps the data of 40 million voters.
The Commission has not passed the basic test, according to a spokeswoman.
A hacker accessed sensitive data in August 2021 until October 2022 when hackers were discovered and removed. The election watchdog announced the hack in August 2021.
It is believed that the unnamed attackers accessed Electoral Commission email correspondence and may have gained access to databases containing the names and addresses of 40 million registered voters, including millions who are not on public voting lists.
The perpetrator of the intrusion and how the commission was breached are yet to be revealed.
As a whistleblower has revealed, the Commission was informed by cyber-security auditors in the same month hackers broke into the organisation that it was not complying with the Cyber Essentials scheme – a government-backed system for achieving minimum best practices in cyber-security – in the month hackers broke into the organization.
Despite being voluntary, Cyber Essentials is widely used by companies to demonstrate their commitment to security.
Applicants for government contracts handling sensitive and personal information must hold an up-to-date Cyber Essentials certificate.
When the Commission tried to become certified in 2021, it failed in multiple areas.
Despite admitting the errors, a spokesperson for the Commission claims they are unrelated to the email server cyberattack.
Approximately 200 staff laptops ran outdated and potentially insecure software, which caused it to fail the test.
Windows 10 Enterprise had fallen out of date for security updates months earlier, and the Commission was urged to update it.
As part of the failure, auditors noted that staff were using old iPhone models that were no longer supported by Apple in order to receive security updates.
In order to prevent known vulnerabilities from being exploited by hackers, the National Cyber Security Centre (NCSC), which supports Cyber Essentials, advises all organizations to keep their software up-to-date.
According to Daniel Card, a cyber-security consultant who has helped many organizations become Cyber Essentials compliant, determining whether the failures highlighted in the audit allowed hackers to gain access is too early.