The Information Commissioner’s Office (ICO) has issued a reprimand to the Electoral Commission after basic security errors allowed hackers linked to the Chinese state to gain access to servers containing the personal information of 40 million people.
The attackers gained access to personal information stored on the electoral register, including the names and home addresses of everyone who had registered to vote between 2014 and 2022. They also had access to the personal data of people who had opted not to register their details on the open version of the electoral register and the names of registered overseas voters.
The then Conservative deputy prime minister, Oliver Dowden, told the Commons in March 2024 that Chinese state-linked hacking groups were “highly likely” to have been behind the attack.
A separate campaign by a Chinese state-sponsored hacking group targeted the email accounts of over 40 UK parliamentarians who had spoken out against China.
Known vulnerabilities
Investigations into the attack against the Electoral Commission revealed that at least two hacking groups had accessed an on-premise Microsoft Exchange Server used to manage email and related services.
The groups exploited known vulnerabilities in the Exchange Server, which remained unpatched for three to five months after Microsoft had released fixes to the problem. The ICO found that the Electoral Commission did not have an “appropriate patching regime” in place, hence the security vulnerabilities remained.
If the Electoral Commission had taken basic steps to protect its systems, it is highly likely that this data breach would not have happened
Stephen Bonner, ICO
The Electoral Commission was also criticised for its failure to have adequate password policies in place at the time of the attack. Investigations revealed that many users were using passwords that were similar or identical to those originally allocated by the service desk.
The information commissioner, Stephen Bonner, said: “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.”
Patching failures
According to the ICO report, hackers were able to access the unpatched Microsoft Exchange Server in August 2021 by exploiting a vulnerability known as the ProxyShell vulnerability chain.
The vulnerability, previously identified as a critical issue by Microsoft, was regarded as an easy vulnerability for hackers to exploit and was well known in the hacking community, having been discussed by researchers at the Black Hat hacking conference in 2021.
A report commissioned by the Electoral Commission later identified a further eight vulnerabilities on the organisation’s Microsoft Exchange Servers that could have been exploited by hackers.
“This failing is a basic measure that we would expect to see implemented in any organisation processing personal data,” the ICO said in a formal reprimand.
Guessable passwords
The ICO found that the Electoral Commission did not have a dedicated password management policy in place and that the only password guidance was “do not reveal or write down passwords”.
Security investigators discovered that passwords set up by the Electoral Commission’s IT service desk when it created new accounts or reset old accounts were insecure. The investigators were able to rapidly crack 178 active accounts using passwords that were identical or similar to passwords provided by the service desk. An audit found that the service desk’s practice of reusing passwords made the Electoral Commission’s accounts “highly susceptible” to cracking.
The Electoral Commission reported an incursion to the National Cyber Security Centre (NCSC) after an employee discovered that spam emails were being sent from the Electoral Commission’s Exchange Server in October 2021.
At the time, the Electoral Commission said it considered the issue to be an isolated incident, according to the ICO’s reprimand.
The Electoral Commission was aware of problems with outdated infrastructure and reported that as it was planning to move its infrastructure towards the cloud, “remedial action with the old servers was limited”, the ICO’s report stated.
China risk
In May 2024, GCHQ director Anne Keast-Butler warned that China’s cyber capabilities posed a significant threat to the UK and other countries.
“China has built an advanced set of cyber capabilities and is taking advantage of a growing commercial ecosystem of hacking outfits and data brokers at its disposal,” she said.
These include a campaign by a Chinese state-sponsored hacking group, known as APT31, that targeted the email accounts of more than 40 UK parliamentarians who had spoken out against China.
The Foreign, Commonwealth and Development Office summoned the Chinese ambassador to the UK to answer questions about the hacks in March 2024.
Remedial steps
The Electoral Commission said it had taken a series of remedial steps following the incident, including implementing a technology modernisation plan and introducing a managed infrastructure support service.
The Electoral Commission has also implemented services to monitor servers, firewalls and internet traffic, and to support threat and vulnerability programmes.
In addition, it has introduced password policy controls in Microsoft’s Active Directory and implemented multifactor authentication (MFA) for all users.
Information commissioner Bonner said that although an unacceptably high number of people were affected by the hack, the ICO had no reason to believe any personal data had been misused and there was no evidence that “direct harm” had been caused by the breach.
A spokesman for the Electoral Commission said: “We regret that sufficient protections were not in place to prevent the cyber attack on the commission. Since the cyber attack, security and data protection experts – including the ICO, National Cyber Security Centre and third-party specialists – have carefully examined the security measures we have put in place and these measures command their confidence.”
How hackers exploited a known vulnerability to access the records of 40 million people
April and May 2021
Security patches for vulnerabilities later exploited by hackers to gain access to the Electoral Commission are released.
Threat actor 1
24 August 2021
Hackers gain access to an on-premise Microsoft Exchange Server 2016 used for managing Microsoft email, contacts, calendars and collaboration. They exploit a vulnerability known as the ProxyShell vulnerability chain. The hackers impersonate a user account to exploit vulnerabilities in the server, which they use to create a series of back doors, known as web shells. One of the web shells remains on the system and is used by the hackers to access the Electoral Commission’s network.
16 September 2021
Hackers access the Electoral Commission using a back door (or web shell) created on 24 August 2021.
13 June 2022
Hackers again access the Electoral Commission using a back door (or web shell) created on 24 August 2021.
2 August 2022
Hackers access the Electoral Commission for a third time using a back door (or web shell) created on 24 August 2021.
Threat Actor 2
3 October 2021
A second hacking group successfully exploits a ProxyShell vulnerability to access the same unprotected Microsoft Exchange Server at the Electoral Commission. The group deploys a back door, or web shell, which is detected and quarantined.
14 March 2022
The hacking group creates a scheduled task to download and execute a payload. The internet protocol (IP) address is the same IP address as previously used in the October 2021 incursion. Investigators are unable to determine whether the hacking group retained access to the Exchange Server or compromised it again in March 2022.
Third wave of attacks
28 October 2021
An employee of the Electoral Commission reports that spam emails are being sent from the Electoral Commission’s Exchange Server. Investigators carry out a scan on the Microsoft Exchange Server, which shows it has been injected with malware.
The Exchange Server is then shut down and scrubbed. A new scan shows the virus has been removed.
The Electoral Commission engages security experts to carry out remediation and to conduct an initial penetration test.
The Electoral Commission advises the National Cyber Security Centre (NCSC) about the incident. The NCSC advises the Electoral Commission to appoint an accredited company to carry out a wider investigation into the Electoral Commission’s IT systems.
