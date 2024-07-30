hacker keyboard

Chinese hackers were able to access the data of 40m voters after staff at the Electoral Commission failed to update their passwords, a report has found.

The Information Commissioner’s Office (ICO), the data protection watchdog, said that insecure password policies were partly responsible for hackers gaining access to its systems in 2021 and 2022.

It said that hundreds of staff accounts had used default passwords supplied by the commission’s IT department, including one of the accounts compromised during the attack.

The Electoral Commission had also failed to update its software to protect against the attacks in August 2021.

ADVERTISEMENT

Hackers were able to access the electoral register for more than a year, and the servers were repeatedly accessed until the incident was discovered in October 2022.

The Conservative government blamed the attack on hackers backed by the Chinese state in March.

Experts have linked the incident to Hafnium, a state-sponsored group that carried out a series of data thefts exploiting vulnerabilities in Microsoft software.

Details including names, addresses, National Insurance numbers, nationalities and ages are on the electoral register.

The ICO formally reprimanded the Electoral Commission on Tuesday, saying it had not taken “basic steps” to protect its systems.

It said the major cause of the fault was that it had failed to introduce security updates released by Microsoft in April and May 2021 – several months before the hack took place.

However, it also admonished the commission for poor password practices, saying many staff accounts were using the default and easy-to-guess codes issued by its service desk.

In an audit, an unnamed IT company was able to crack into 178 accounts because they were using identical or similar passwords to those given when the account was created.

There is no evidence that the electoral register downloaded was used for cyber crime.

However, staff did find that spam emails were being sent from the Electoral Commission’s servers.

Story continues

Stephen Bonner, the ICO’s deputy commissioner, said: “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands.

“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.

“By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.”

An Electoral Commission spokesman said: “We regret that sufficient protections were not in place to prevent the cyber-attack on the commission.

“As the ICO has noted and welcomed, since the attack we have made changes to our approach, systems, and processes to strengthen the security and resilience of our systems and will continue to invest in this area.”