Security flaws at UK elections agency left door open for Chinese hackers, watchdog finds

The United Kingdom’s privacy watchdog reprimanded the country’s Electoral Commission on Tuesday for failing to protect the personal information of nearly 40 million people accessed by hackers during a cyberattack three years ago.

According to the Information Commissioner’s Office (ICO), the election agency failed to ensure its systems were kept up to date with the latest security updates and did not have sufficient password policies.

“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened,” ICO Deputy Commissioner Stephen Bonner said in a statement on Tuesday.

During an attack  in 2021, the threat actor accessed the personal information, including names and home addresses, of people registered to vote in the U.K. beginning in 2014.

In March, the U.K.’s National Cyber Security Centre (NCSC) attributed the breach to a Chinese state-backed hacker group named APT31.

According to the ICO, the hackers successfully accessed the Electoral Commission’s Microsoft Exchange Server by impersonating a user account and exploiting known software vulnerabilities in the system that had not been secured.

In particular, the threat actor gained access to the on-premise Microsoft server via a ProxyShell vulnerability chain, which consisted of the following security flaws: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473.

The patches for these vulnerabilities were released in April and May 2021, months before the attack, according to the ICO.

Further investigation revealed eight more vulnerabilities on the Electoral Commission's servers. “Although not utilized on this occasion, any one of them could have been exploited by a threat actor whilst they existed on the relevant systems,” they said.

The Electoral Commission also did not have proper password policies in place at the time of the attack, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk.

“This practice of reusing passwords makes the Electoral Commission's passwords highly susceptible to password guessing,” the ICO said. 

Following the breach, the Electoral Commission took a number of steps to improve its security, including implementing a plan to modernize its infrastructure, as well as password policy controls and multi-factor authentication for all users, according to the ICO.

The reprimand “should serve as a reminder to all organizations that you must take proactive and preventative measures to ensure your systems are secure,” Bonner said.

“Do you know if your organization has installed the latest security updates? If not, then you jeopardize people's personal information and risk enforcement action, including fines,” he added.