Context
The ICO has issued a reprimand to the Electoral Commission after hackers gained access to servers that contained the personal information of approximately 40 million people.
Key points to note and next actions
In August 2021, hackers successfully accessed the Electoral Commission’s Microsoft Exchange Server by impersonating a user account and exploiting known software vulnerabilities in the system that had not been secured. The attackers had access to this information of over a year, including names and home addresses, while accessing the servers on several occasions without the Electoral Commission’s knowledge.
The investigation found that the Electoral Commission did not have appropriate security measures in place to protect the personal information it held. In particular:
- it did not ensure its servers were kept up to date with the latest security updates (the security patches for the vulnerabilities exploited in the cyber attack were released in April and May 2021, months before the attack); and
- it did not have sufficient password policies in place at the time of the attack, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk.
Firms should ensure their systems and information are kept secure by promptly updating their software with any security patches that are released and by reviewing their system access policies and controls.