back to article UK voter data within reach of miscreants who hacked Electoral Commission

The IT infrastructure of the UK's Electoral Commission was broken into by miscreants, who will have had access to names and addresses of voters, as well as the election oversight body's email and unspecified other systems. In a public notice on its website, the commission today said the intrusion was identified in October 2022 …

  1. J.G.Harston Silver badge

    How was this made possible?

    As a programmer and as an electoral data processor*, I ask: how the hell was this externally accessible?

    *One of the things I write is code that processes electoral and census data to present it in various useful formats. To get at the data I use for regulated uses you would have to a) break into my flat, b) break into my computer, c) break into the encypted archives.

    1. Anonymous Coward
      Anonymous Coward

      Re: How was this made possible?

      so...just so I'm clear...you take private data home and leave it in your flat?

      1. CaNsA

        Re: How was this made possible?

        I have private/sensitive data, which requires a high level of security clearance to view, in my house.

        It's securely stored on a company device which is encrypted.

        What's your point?

        1. nonpc

          Re: How was this made possible?

          Do tell - how is the data protected when you are processing it? What steps to you take to prevent unwanted remote access to your PC and any LAN connection. In a commercial environment industrial-grade precautions (better than the Electoral Commission, one hopes) would be employed. From my decades in IT security, the weakest link is usually the human element when they bypass all the carefully crafted protections... Just sayin'

          1. CaNsA

            Re: How was this made possible?

            My device only only accepts comms from a set of pre-defined sources.

            There are several levels of security in operation between my chair and the destination.

            Not everyone is an idiot, some people actually understand why certain protocols are enforced.

        2. Anonymous Coward
          Anonymous Coward

          Re: How was this made possible?

          None. It will be like the people that moaned some years ago about the "laptops stolen from an NHS trust" ignoring that all laptops that had been stolen were encrypted.

          1. Brewster's Angle Grinder Silver badge
            Trollface

            Re: How was this made possible?

            And each laptop protected by the top secret password: Password1, Password2, etc...

            1. Anonymous Coward
              Anonymous Coward

              Re: How was this made possible?

              No, it wasn't easily guessable surprisingly.

              I did point out however, they'd setup the encryption wrong, I was ignored until I left and then they finally admitted I was right. The lowly contractor was right but no one could admit it. I kept a laptop behind in the build room for when I'd get locked out because of the encryption. Would log onto the unlocked laptop that would unlock me and allow me back into the encryption. As they'd set the laptops to overule the servers, instead of the servers overrule the laptops. But then this is also the department that, when I pointed out "Why are you using WEP for the office WIFI" (this was back in 2008) I was told "Well its 128 bit WEP", I shook my head and walked off. They wouldn't listen. How many people in the flats opposite were on that WIFI surfing for free is any bodies guess.

      2. sanmigueelbeer
        Joke

        Re: How was this made possible?

        you take private data home and leave it in your flat?

        They are all well hidden. In the bathroom.

        1. John Brown (no body) Silver badge

          Re: How was this made possible?

          Ah, the Trump Security Method. Good'o :-)

      3. Decimal5446

        Re: How was this made possible?

        Spoken like someone living in the 90's. Build a strong perimeter and throw everything behind it and only allow access onsite. In 2023 we are way beyond that level of madness.

        1. Anonymous Coward
          Anonymous Coward

          Re: How was this made possible?

          "In 2023 we are way beyond that level of madness."

          But it's pretty obvious that we are drifting back to the 1990s and the myth that work only occurs in officially designated workplaces. Whether it's Elmo's anti-WFH rants, Rees-Mogg's anti-WFH rants, bile-splattered editorials against WfH in the Daily Vile, whether it's faceless large companies asserting new policies based around the inherent value of presenteeism. Factor in the myth of on-prem security, and there's plenty of people really believe that work only gets done in an office.

          Despite a remarkably successful and essentially location neutral approach to work for the past three years, my employers have now concluded that everybody has to have a formal office base at one of our larger offices that cover a handful and half of locations across the UK, thus restricting our recruitment to about a third of the population. The driving force for this is really quite simple: Bosses want peons sitting outside their office, supplemented by the fact that too many bosses can't use basic desktop and telecoms technologies.

          Modern management thinking on "leadership": You can't possibly be a pharoah without both a court of senior managers, and an army of slaves.

          1. Decimal5446

            Re: How was this made possible?

            I think there is a time and place for all mixes of security controls and technologies. If people want nothing to leave the perimeter (whatever the hell that means these days). Spin up a virtual desktop solution and even then when using that at home everything is still in the corporate perimeter. On the bums on seats and seeing the whites of people's eyes, thankfully my place trusts us to get things done without being seen sat there. Fingers crossed leadership change doesn't change that view!

          2. RichUK

            Re: How was this made possible?

            "my employers have now concluded that everybody has to have a formal office base at one of our larger offices": to be fair there may be tax/financial reasons behind that decision rather than presenteeism ones.

    2. Blazde Silver badge

      Re: How was this made possible?

      Not sure how it is now in the age of GDPR but I was an 'electoral data processor' in the '90s and just had a CD with the full register on it and I think there was a README or something saying to be a bit careful with it. It's so freely available I'd be surprised if - assuming this was a state-sponsored hack - the relevant state didn't already have it before breaking into the Electoral Commission. The email etc on inner workings to facilitate further attacks is more worrying.

      Anyway I'm just glad they fessed up quickly at all

    3. Anonymous Coward
      Anonymous Coward

      Re: How was this made possible?

      I just heard John Pullinger (sp?), the Chair of the Electoral Commission on BBC Radio 4 and he was being interviewed about this breach.

      He is clearly very unaware and could give no explanation as to exactly WHY such data should be on a computer system linked directly to the internet...

      He also said it was unknown what data the bad actor(s) may have viewed/saved/downloaded and that it only seemed to affect people who (wait for it) DID NOT WANT THEIR PRIVATE DATA USED FOR ANY PUBLICALLY ACCESSIBLE ELECTORAL ROLE LISTINGS.

      He was also sounding very unapologetic and dismissive and was advising any affected people to contact the Action Fraud Helpline !!

      And these people are supposedly in charge of our data ???

      1. Steve Crook

        Re: How was this made possible?

        He also said no data had been stolen. Apparently unaware that, you know, you can copy it. I'm guessing he meant encrypted and them being held for ransom. But, really, given his lack of competence it's difficult to know if he has to have his secretary read his email to him or not let alone if knows what ransomware is.

        The other thing, he tried to make a virtue out of them having undigitized paper records. Apparently, being slow and inefficient and not having joined the late 20th century (let alone the 21st) is a security virtue. Thank heavens there wasn't a fire too, I don't suppose the sprinkler system works either.

        1. cantankerous swineherd

          Re: How was this made possible?

          paper records an excellent idea imo, not being accessible by every criminal on the internet is a good thing.

        2. R Soul Silver badge

          Re: How was this made possible?

          "He also said no data had been stolen."

          Pullinger is trying to mislead and dissemble. Taking unauthorised copies of the EC's data doesn't mean the data were stolen.

          He also needs to have a word with his CEO who was quoted in the URL below.

          Chief executive officer Shaun McNally said the commission ... could not "conclusively" identify which files may have been accessed.

          https://www.bbc.co.uk/news/uk-politics-66441010

          1. Big Softie

            Re: How was this made possible?

            He also said ""We regret that sufficient protections were not in place .."

            So that's alright then. "We apologies...we sincerely regret our mistake...we know we have to do better...lessons have been learned.." Off to collect my bonus....yawn...etc.

            It is truly stunning how widespread incompetence is becoming. It must be one of the fastest growing Corporate attributes in the modern world.

            1. CrazyOldCatMan Silver badge

              Re: How was this made possible?

              how widespread incompetence is becoming. It must be one of the fastest growing Corporate attributes

              And it's fuelled by companies being allowed to pay compensation without admitting liability. I understand why that came about (grifters suing companies hoping for a quick payout and it being cheaper to pay them off [1] rather than go through the court case) but it's still an abomination.

              [1] Paying the Danegeld *never* works.

        3. Potemkine! Silver badge

          Re: How was this made possible?

          Apparently, being slow and inefficient and not having joined the late 20th century (let alone the 21st) is a security virtue

          Of course. It's much easier to secure a physical item rather than a digital one.

      2. Pier Reviewer

        Re: How was this made possible?

        Properly segmenting data from the Internet is almost unheard of. I’ve worked in one one place where it happened - I had to go to another part of the building to Google stuff. Then write down/print the results and walk back to my desk. It’s not practical in most orgs.

        If you want email to the desk, you have a route between the Internet and your PC. It may not be very direct, but it exists. Same with browsing the Internet.

        Personally my money is on VPN access with no MFA. Got no evidence at all to support that, but Exchange is awesome for highly reliable user enumeration and cred spraying. Plenty of enterprise VPNs support LDAP authN (i.e. AD) - find valid creds via Exchange, use them to VPN in. We do it all the time at work.

        1. Anonymous Coward
          Anonymous Coward

          Re: How was this made possible?

          When I worked for a firm that wanted the open electoral register for a particular constituency I was the one who had to get it because I lived in that constituency. I remember we paid and they asked for a company email address which I supplied. Then I was asked for another electronic means of contact that wasn’t connected to the email system (even remotely). This I also supplied and they said the email would get sent the encrypted list. The mobile number I’d given would be texted the password which wasn’t supposed to be kept on the same device as the list. Can’t tell you what the encryption was, the file type or anything like that. I just remember my manager being annoyed at what she saw as over the top security procedures.

        2. Dr Dan Holdsworth
          Thumb Down

          Re: How was this made possible?

          Don't ask me how I know, but even VPN with a second authentication factor isn't entirely safe.

      3. R Soul Silver badge

        Re: How was this made possible?

        Pullinger's career until recently has been in statistics. His wikipedia entry says he was at Harvard Business School, which probably means he has an MBA. I'll bet - see what I did there? - those qualifications mean he can't be expected to know anything about IT or information security. I'll bet he won't resign either. And nobody on the Electoral Commission gets the sack for this data breach.

        Maybe he's another one of Michael "we've had enough of experts" Gove's appointments to the top jobs in the public sector.

        1. graeme leggett Silver badge

          Re: How was this made possible?

          1) He's the chair not the chief exec. He's supposed to know that there should be adequate security but shouldn't need to know minutiae

          2) Commissioners are appointed by a cross-party method " The Speaker's Committee on the Electoral Commission, with membership drawn from MPs within the UK Parliament, oversees the recruitment of electoral commissioners. The candidates for these posts are then approved by the House of Commons and appointed by HM the Queen. The Speaker’s Committee is also responsible for deciding any reappointment of members following a first term of service" (EC website)

          1. Anonymous Coward
            Anonymous Coward

            Re: How was this made possible?

            "...and appointed by HM the Queen..."

            might be a while before any new ones are appointed then.

            1. CrazyOldCatMan Silver badge

              Re: How was this made possible?

              might be a while before any new ones are appointed then.

              At least 3 monarchs' worth (unless something happens to Will and Henry..).

          2. awavey

            Re: How was this made possible?

            Which is fine, don't expect him to be the techie guy to solve the details, but why accept the invite to be interviewed just to use standard politician style bluster tactics ?

            And his ignorance of even the broad details and points compounds the breach, as its likely this failure to understand the issue or his responsibility ( see also senior execs at banks who gossip about account holders) for it that leads to systems not being secured properly and data breaches occurring, as he can surely be briefed to a level that even a child can understand by the techies to converse coherently on the topic

      4. Dr Dan Holdsworth
        FAIL

        Re: How was this made possible?

        Do remember that the government currently in power are legislating for powers to force people to stop using secure point to point encryption and change to something that the Government can snoop on more easily. Because, you know, evil pornographers and criminals of all stripes always follow the law to the letter and don't simply ignore ignorant bollocks like this completely.

      5. John Brown (no body) Silver badge

        Re: How was this made possible?

        "Chair of the Electoral Commission"

        Yeah, not the best person to be interviewed on the subject of IT security. I doubt that was on his CV when he was appointed. Maybe if they had got their director of IT to interview instead, we might have got more sensible answers. But that's not how it works. Pick someone "important" who can waffle a lot and later claim they didn't really understand the technology when they gave "potentially misleading" answers when responding to the eventual Parliamentary Inquiry which will be so far down the road, most will have forgoteen, few will care and plenty of time has passed to "bury the bodies".

  2. Paul Crawford Silver badge

    And yet they force OAPs (many who have neither driving licence nor passport) etc to get photo ID to vote now in some gerrymandering goal of stopping fraud?

    1. Anonymous Coward
      Anonymous Coward

      It was never about OAPs. It was about trying to disenfranchise Labour voters.

      1. Paul Crawford Silver badge
        Happy

        That might have been the goal, but it seemed to backfire:

        https://www.bbc.co.uk/news/uk-politics-65599380

      2. Steve Crook
        Thumb Up

        Doubtful. Evidence?

        Besides the number of voters disenfranchised was pretty low and pales into insignificance next to apathy.

        The Brexit referendum had a turnout of around 75%. For the most important vote in most peoples lifetimes and there were still 25% of the population too lazy to get off their arses and spoil their ballots.

        The turnout of the local elections barely makes the needle move to 50%. On a good day.

        1. ChoHag Silver badge

          Re: Doubtful. Evidence?

          Too lazy to spend the day deciding who gets to fuck them?

          Some choice.

        2. Cynical Pie

          Re: Doubtful. Evidence?

          50% turnout for a local government election... dream on.

          In my nigh on 20 yr career as a Presiding Officer in a polling station we have never got within sight of 35% turnout for local elections.

        3. Brewster's Angle Grinder Silver badge

          Re: Doubtful. Evidence?

          "...the number of voters disenfranchised was pretty low..."

          We don't really know. One, there was a lot of publicity to stop people voting. Two, people on the door were turning people away rather than telling them they could go in and have their inability to vote recorded. I had to push my way through and they had to look up the procedure.

      3. Claverhouse Silver badge

        I'm not a Labour voter --- nor any other kind --- but as far as local elections, I skipped the last set; I won't carry ID for anything so trivial; nor should I have to.

        They're just trying to ape America's republicans who wish to discourage Black voters. Next we'll have political advertising and robo-calls to make everything bleaker.

        1. Dr Dan Holdsworth
          Facepalm

          Voting in a public election is not trivial. It is the only direct way that you as a citizen have of affecting public policies.

          It is also a very hard-won civil right. Time was when only the aristocracy got a say, then only them plus property owners, and then it got thrown open to include most male individuals. It took a hell of a long time to go from democracy being the province of a minority to it being thrown open to everyone apart from imprisoned criminals; even giving women the vote took entirely too long to happen.

          So, if you can vote, do so and always support your right to cast a vote. It may mean voting for the least idiotic candidate, but at least you have some choice.

          1. Anonymous Coward
            Anonymous Coward

            "So, if you can vote, do so and always support your right to cast a vote. It may mean voting for the least idiotic candidate, but at least you have some choice."

            What choice? The difference between the options commonly available is limited, they don't stick to the manifestos they get elected on, they aren't competent in the execution of the policies they do have, and without exception they're out of touch with public opinion, and disinclined to even try and listen. And by voting for a least worst option you're endorsing that option. I would vote Conservative, except that there hasn't been a competent, electable offer from the party for decades, so I haven't.

            It was precisely "least worst" voting that led to the dismal coalition government, and all that have since followed including the vast parliamentary majority for the fat, blustering, lying oaf, and his government of all the a***holes.

            I do at least usually bother to go and spoil my ballot paper.

      4. Spazturtle Silver badge

        Who doesn't have ID? You need ID to get a job, claim benefits, rent a property, buy a property, stay in a hotel, open a bank account, register your child at a school, ect.

        1. Anonymous Coward
          Anonymous Coward

          Who doesn't have ID? You need ID to…

          That's a very good point: they have pretty much gradually snuck in ID cards by the back door, haven't they?

          Not that I have an objection to ID cards per se, it's the whole behind the scenes ball of squirming worms collection of interlinked databases that is the much more worrying aspect (and, as this article only too well shows, often poorly secured databases at that).

          The whole aspect of having to show ID to "get a job, claim benefits [OK, I guess that one is reasonable], rent a property, buy a property, stay in a hotel, open a bank account, register your child at a school" is very creepily big-brothery and seems very un-British (that's if we do still stand for anything good in the world any more?), but I grudgingly suppose it is the flip side of ensuring that only people with a legal right to be in the country can access services, although I'm not sure if I am entirely comfortable with that?

          Do hotels really require people to show ID now? That seems excessive - I thought they just needed to secure payment card details so that guests couldn't do a runner?

          Similarly, for registration at school seems rather creepy.

          Bank accounts: I haven't opened a bank account in-person for many years, and I thought that, when applying online, checking you were on the electoral register (ah, oops) was their main check - and that the electoral register was just done on trust by you filling in the form, or do the electoral registration systems (and, in turn, the bank systems) also double-check with the passport and driving licence systems behind the scenes, to check that you actually live where you filled in the form for?

          With all these things I fear that, one of these days, we're going to end up in the situation where you go to buy a pair of scissors in a shop and you can't open the sealed packaging because you don't already have a pair of scissors to cut it open…

    2. Jason Bloomberg Silver badge
      Thumb Up

      The easiest way to avoid needing Photo ID is to get a postal vote.

      And, if you want the full Good Old-Fashioned Voting Experience (TM); you don't need to post it. You can take it to the Polling Station, go to a booth, cast your vote - you must however use a pen and not a pencil, complete the rest, hand it to election staff. Job done.

      Friends don't let friends get disenfranchised - Pass it on.

      1. Howard Sway Silver badge

        This is no longer true

        The Elections Act 2022 will change the current postal voting process. Subject to secondary legislation, the Elections Act will implement the following.

        Electors will be required to provide ID when applying for a postal vote

        Require postal voters to reapply for a postal vote every 3 years

        Same rules apply for which id is valid

        1. Anonymous Coward
          Anonymous Coward

          Re: This is no longer true

          AC because I'm involved in the implementation of this (and could tell some stories of how much of a shitshow it has been).

          The main verification for postal vote applications will be by means of National Insurance Number (NINo) verification with the elector name - same as for applications to register to vote. There are then similar fallback options of the NINo verification is failed.

          There will also be additional hurdles for handing in postal packs at the polling station as you will now need to fill in a form as well as hand the pack over.

      2. Cynical Pie

        You don't even need to complete the postal vote in the polling station. You can just hand the sealed envelope to the staff manning the station BUT only if it is in the correct LA area.

        So for example in my Borough it is divided into 3 sections for the count and the envelope has to be handed in to a Polling Station taking their ballot box to the correct counting location for the Ward you are voting in.

        Less of an issue for Parliamentary Elections as there is only one count location per constituency.

    3. Snowy Silver badge
      Holmes

      Go postal!

      Get a postal vote and you do not need photo ID to vote :)

  3. Vikingforties

    Electronic voting

    Well, if there's any sense, this will put back electronic voting for at least a few years.

    1. A Non e-mouse Silver badge

      Re: Electronic voting

      Was the aim to influence voting, or was it to get data on people for other uses?

      1. Jason Bloomberg Silver badge
        Unhappy

        Re: Electronic voting

        I wonder if we will see a flood of spam mailshots arriving through our letterboxes shortly?

        Being registered under a unique legal alias it is easy for me to see who is illegally abusing the non-public electoral register to spam me.

        1. Timbo

          Re: Electronic voting

          "I wonder if we will see a flood of spam mailshots arriving through our letterboxes shortly?"

          The data breach was some time ago - Spring 2022 - going by the fact that it's taken 14 months for news of this breach has been made public.

          So, IF the any part of the database has been downloaded, one can assume it has already been traded multiple times on the dark web and hence if any significant people were being scammed as a result, it would have happened by now.

          Either way, for this data to be on an internet connected computer system and accessible (to whom?) once a login/password was entered, shows a complete disregard for installing best-quality security systems to prevent "bad actors" from getting in. :-(

  4. Mike 137 Silver badge

    Any monitoring taking place?

    Fourteen months from breach to detection is something of a record -- it's typically 5-6 months these days. But even that is excessive.

    I get the strong impression that nobody is really monitoring their networks. In my consulting experience I can count on one finger the number of clients that have had a clear vision of normal activity. They almost all only refer to the logs after they've noticed due to other indications (e.g. being notified by a newspaper) that something has gone wrong, until which they don't recognise that anything is untoward.

    1. jonha
      FAIL

      Re: Any monitoring taking place?

      > I get the strong impression that nobody is really monitoring their networks.

      That's because they are so incredibly busy with pretending to take our security extremely seriously :-/

    2. wolfetone Silver badge

      Re: Any monitoring taking place?

      I don't want to make this political, but we have had 13 years of cuts and "austerity" which has effected so many departments you'd need the toes of a co-worker to count them. Roles such as police and nurses have been cut (or at least the budgets servicing them have been, forcing the cuts), why do we think IT would remain ring fenced among all of this?

      Couple this with the convenient "I don't understand computers" clap trap that's a get out of jail card for people caught out by these things, why hasn't this happened sooner and who else is this happening to?

      1. Binraider Silver badge

        Re: Any monitoring taking place?

        Cost of operating the UK exceeds the standards of service which it expects.

        The trouble is everybody loves more complexity; because “value”. And so the wrong cuts are made while poor decisions continue to be incentivised.

        There are solutions to this problem, but for reasons we continue to complicate I’m the name of progress; which it is often anything but.

        1. jmch Silver badge

          Re: Any monitoring taking place?

          "Cost of operating the UK exceeds the standards of service which it expects"

          Why would that be??? I doubt that in the UK, teachers, nurses, police officers and sundry civil servants are paid proportionally more than their counterparts in other European countries with similar service expectations. So either the cost is too high for the available budgets (meaning taxation is too low to provide the expected services) or else a lot of the money that the government should be spending on services isn't being spent effectively (most likely because large chunks of that budget are paid to external private companies whose owners know the right people).

          My gut feeling is that it's a little bit from the former (UK tax buredn is very low compared to other developed countries): https://en.wikipedia.org/wiki/Tax_rates_in_Europe#/media/File:Payroll_and_income_tax_by_country.png

          ...and a huge chunk from the latter

          1. Binraider Silver badge

            Re: Any monitoring taking place?

            Civil servants cover a whole gamut of pay scales. But yes, "grunt-work" tends to be on worse terms to much of Europe if you normalise income by living costs. The civil servants in Cheltenham at one point were asking me to apply for jobs - and they simply cannot compete with the private sector other than on the perception of the appeal of the job.

            There are some obvious outliers. UK Junior doctors are shafted in early career (pay has literally not changed in 20-odd years, to the point that you almost cannot afford to take the job); though once established being a GP or Surgeon is decidedly profitable. Finland directs the-best-of-the-best qualified people into teaching jobs, using very favourable terms. And conversely there are many poorer countries in Europe that by definition have lower costs.

            Regarding overpaid consultants and bad manglement : 215 NHS Trusts, all with duplicated services and management for, procurement, IT, etc.

            Lots of pork to go round, but regularly not enough hospital beds and staff to operate them.

            What we really need is another consultation to figure this out and write another report to gather dust. Yay! more money printing!

          2. Peter2 Silver badge

            Re: Any monitoring taking place?

            (UK tax burden is very low compared to other developed countries)

            Are you actually serious?! Your comparing payroll and income tax and treating it as the total tax burden. That's so painfully and ridiculously absurd as to be laughable. Let's just look at the taxes on fuel between the US and the UK.

            In the US, they pay 18.4 cents per gallon tax on their fuel.

            In the UK we pay 52.95p per litre, and we then pay 20% VAT on the total. There are 3.78 litres to the US Gallon, so assuming that the fuel was given away free then we'd pay £2.15 in fuel duty, and then 20% VAT so £2.40 just in tax, compared to 18c (~£0.14) in the US.

            Your figures completely ignore that, as well as other similar absurdities elseware with unavoidable spending being taxed heavily.

            I would suggest that a better method might be to take the total tax take for different countries and compare it to that countries GDP.

            ie;

            France has a GDP of 2.958 trillion USD (2021) and a total tax revenue for that year of 422.9 billion euros.

            The UK has a GDP of 3.131 trillion USD (2021) and a total tax revenue of £715.53 billion. (830.18 billion Euros)

            I'm fairly sure that you can feel this question coming; if our tax burden is lower then how come it's delivering practically twice the tax? The tax burden on our economy is (surely?) ~double if it's producing double the amount.

      2. Anonymous Coward
        Anonymous Coward

        Re: Any monitoring taking place?

        wolfetone: I don't want to make this political, but we have had 13 years of cuts and "austerity" which has effected so many departments you'd need the toes of a co-worker to count them. Roles such as police and nurses have been cut (or at least the budgets servicing them have been, forcing the cuts), why do we think IT would remain ring fenced among all of this?

        Austerity? See chart 1 in the link below:

        https://www.gov.uk/government/statistics/public-spending-statistics-release-may-2023/public-spending-statistics-may-2023

        So, without making it political (or do if you want), how much further would you raise public spending, or what of existing spending would you cut? Maybe the state should spend more than half of national income?

    3. Anonymous Coward
      Anonymous Coward

      Re: Any monitoring taking place?

      Agree with the general sentiment that notification takes too long and there's too little monitoring, but it might be unfair to compare the time in this case with the typical.

      Time to detection is as much about the skill of the attacker as the skills of the defender - and as noted in the article it's entirely possible this was a very special class of attacker. If so, the surprise might not be how long it took to detect them, but that they were detected at all. Advanced Persistent Threats are, by definition, persistent.

  5. Anonymous Coward
    Anonymous Coward

    Whoopsie.

    Though I really don't understand how they had access for so long and not be detected. Clearly they must have had some high level access probably for an analyst who was pulling data from this all the time. Have they not set up 2FA on the data and systems with a pin code as well? Do they not monitor user access and the IP addresses that comes from and what they pull in reports each week that can be reviewed by managers?

    Then again probably not as security is always an after thought.

    Edit: From what I understand this is just electoral role information. What's the big deal? Companies buy this from all the councils and sell it anyway.

    1. Anonymous Coward
      Anonymous Coward

      "Edit: From what I understand this is just electoral role information. What's the big deal? Companies buy this from all the councils and sell it anyway."

      But the data that has been (potentially) accessed are the names/addresses of voters who did NOT want their data put on a publically available electoral voting list. And there are apparently many millions of names/addresses on this database.

      So, these could be vulnerable people, even people who have had abusive former partners, or maybe people with mental issues...and now their data might be mis-used, or even merged in with other data sets...thereby creating a bigger target list of people to scam.

      1. TheMaskedMan Silver badge

        "But the data that has been (potentially) accessed are the names/addresses of voters who did NOT want their data put on a publically available electoral voting list."

        It always amazes me that anyone would want their data on.a publicly available list. It's so easy to tick the box, yet apparently millions of people don't. Admittedly, my local council used to routinely UNtick it every time they sent you the form to confirm the accuracy of the information, but they stopped doing that a while ago.

        Of course, electoral roll or no, it's usually easy enough to track someone down these days, what with social media posts, companies house records etc, but I can't see any benefit in volunteering that information on the public electoral roll.

        1. Anonymous Coward
          Anonymous Coward

          anyone would want their data on.a publicly available list. It's so easy to tick the box

          strangely coincides with 'box to tick' on giving up your data to the world on the internets. Box to tick, surely not intentional, eh?

      2. Anonymous Coward
        Anonymous Coward

        Those most at risk are covered in the article "The registers did not include the details of anyone who registered anonymously."

        though it takes a bit of effort to get on the list https://www.electoralcommission.org.uk/i-am-a/voter/register-vote/register-vote-anonymously

      3. Anonymous Coward
        Anonymous Coward

        Fair enough I misunderstood. Thanks for correcting me. Though I do wonder what safeguards credit reference agencies have as they have access to the full register and can search it when you authorise a credit check.

      4. Hugo Rune
        Headmaster

        "these could be vulnerable people, even people who have had abusive former partners, or maybe people with mental issues"

        Nope Just people who tick the box to protect their own privacy and opt out of the public register.

      5. CrazyOldCatMan Silver badge

        are the names/addresses of voters who did NOT want their data put on a publically available electoral voting list

        Like me. I *always* tick the "I do not want my details to be public" box.

  6. M7S

    Ubiquity

    Given that it is effectively unlawful not to register to vote in the UK, this basically affects everyone over the age of twenty or thereabouts.

    Thank you UK government

    If I had been responsible for something similar as a data controller in a commercial enterprise, I’d expect a hefty penalty. Probably here it will be seen as “not in the public interest” to prosecute.

    For the government’s definition of public interest.

    1. Disgusted of Cheltenham

      Re: Ubiquity

      Instead of adopting the Australian system of ensuring that everyone gets a chance to vote, our politicians have been keen to increase the participation rate in elections. So instead of the ‘head of household’ registering everyone, the onus was on people to do it themselves; those with no intention of voting would not bother, so the rate would go up. Not appearing can be a problem for credit reference, but still it was optional until the House of Lords (with unusual ignorance) stepped in with an amendment to put a civil penalty (i.e. fine that couldn’t turn you into a news item by being jailed for failure to pay) for those not registering when asked to by a registration officer.

      If there was any thinking behind this it may have been in relation to jury service, where you stand a chance of being called for each place in which you appear on the register. Some small business owners would rather not take this risk and thus be encouraged not to vote. (They might also not want to walk near the court to avoid “praying a tales”.) It’s time we threw out the electoral roll, with all its accumulated out of date but explicit data protection oddities, and had a jury status list for all residents, with uniqueness, preferably by extending the settled status register to include everyone.

      Meanwhile what will happen if what is being called ID is needed for postal vote? Getting a civil penalty for not having it is not acceptable.

      Whilst not remotely surprised by the attack, and just waiting for the same on one.login, the response that we should "remain vigilant for unauthorised use or release of [their] personal data" is spectacularly unhelpful. What, exactly, should we do, especialy now we can't play the trick of adjusting the postcode (before they were used - last two digits showed where it was copied from it you were careful to note which digits you gave to whom)?

      1. Anonymous Coward
        Anonymous Coward

        Re: Ubiquity

        From what I can see, Australians still need to register to vote, so they can see who hasn't and needs to be chased or fined after the event.

        Very few councils will enforce a civil penalty, even if they get round to issuing one, as it is not worth the time and effort it would take to get to that point.

        The longer I work with government, the more I come around to the idea of a national ID card like Germany's which would take away all the registration requirements.

        1. Anonymous Coward
          Anonymous Coward

          Re: Ubiquity

          >> The longer I work with government, the more I come around to the idea of a national ID card like Germany's which would take away all the registration requirements.

          The same Germany where it's mandatory, under threat of a hefty fine (1,000 EUR), to register in the local residential register (Einwohnermeldeamt) of your council/county? So that said residential register is able to sell on your personal information to other parties, including criminals?

        2. Disgusted of Cheltenham

          Re: Ubiquity

          The focus on just a single technology remains a bad idea, although cards could be part of the mix as the Irish have deftly done: allowing one of the two forms for the passport allows that travel document to look and feel like an ID card and offers the functionality without igniting panic. A compulsory unique physical token offers scope blackmail and control (e.g. over wives and daughters) that may not have been a significant issue when the German Ausweis was introduced (in the same year the UK wartime ID card was scrapped).

  7. NewModelArmy
    Happy

    Latest : Electoral Commission Suggestion

    Since everyone's data has now been stolen, the Electoral Commission has concluded that to thwart the hackers, that everyone should move house, thus nullifying the electoral register stolen.

    Failing that, people can also change their names via Deed Poll.

    1. Anonymous Coward
      Anonymous Coward

      Re: Latest : Electoral Commission Suggestion

      “Everyone should move House”

      Right, so on Thursday everyone needs to move one house to their left up and down the country.

      Sorted.

      (Joke)

  8. Roger Kynaston Silver badge

    security is borked

    This is only the latest in a series of terrible breaches of data - Crapita not securing an S3 bucket with USS pension details on it. Other actors stealing data from LPFA and such like. I am now working on the assumption that I have been comprehensivly pwned.

    I don't know if it is state actors or straightforward crims (assuming there is a difference) but we need a completely new approach to security. At present, it appears that I am responsible for policing any unauthorised use of my data and there is no recourse to get compensation from the leaker - perhaps that should be the case.

    </rant>

    1. Richard 12 Silver badge

      Re: security is borked

      Perhaps grating government ministers each time.

      There'd be a very large list of volunteers willing to donate their time and cheesegraters to the cause.

      Seriously, something that would help a lot is a 99% marginal tax rate on non-parliamentary income for MPs and ministers, coupled with a 105% marginal rate on any paid employment or donations taken against the recommendation of the relevant standards committee.

      It'd raise about £10 million a year, give or take.

      1. Claverhouse Silver badge

        Re: security is borked

        And that's just from Boris !

        1. Roger Kynaston Silver badge

          correct name for a certain former PM

          Please don't call him that. The correct term is "that lying little shit" or "the blonde pus monster"

  9. RogerT

    "The registers did not include the details of anyone who registered anonymously."

    If the registers did not contain details of those registered anonymously the Electoral Commission must have known their systems were not particularly secure.

    Why did it take them so long to announce they'd been hacked?

    1. Richard 12 Silver badge

      Re: "The registers did not include the details of anyone who registered anonymously."

      What does that statement even mean?

      You can't register anonymously!

      Do they mean the option to be removed from the "edited" register so your name isn't sold to all the scammers, or the "persons of special interest" like Farage, or something else?

      1. J.G.Harston Silver badge

        Re: "The registers did not include the details of anyone who registered anonymously."

        You can register anonymously. Pop into the library and look at the public registers, at the bottom of each "chapter" there is sometimes a couple of entries:

        Other electors

        991 Fred Jones

        992 Velma Dinkley

        993 (name removed)

        994 (name removed)

        Fred and Velma are overseas electors with no address, so they are listed after all the people with addresses. Elector 993 and 994 are electors who have qualified to be anonymous. They are put at the end so it's not bleedin' obvious where they live, eg:

        Mystery Avenue

        801 Fred Jones, 1

        802 (name removed), 1

        803 Velma Dinkley, 2

        Anonymous entries are very rare, and I had to quickly patch some of my code the first time I encountered one. Anonymous entries are sometimes confused with entries not on the public register. In this case the raw register looks like:

        Mystery Avenue

        801 Fred Jones, 1

        802E Daphney Blake, 1

        803 Velma Dinkley, 2

        and the edited register looks like:

        Mystery Avenue

        801 Fred Jones, 1

        803 Velma Dinkley, 2

        which is indistinguishable from where somebody has moved house during the year.

        1. JimboSmith Silver badge

          Re: "The registers did not include the details of anyone who registered anonymously."

          Have an upvote for the Scooby references.

          1. Anonymous Coward
            Anonymous Coward

            Re: "The registers did not include the details of anyone who registered anonymously."

            Unlike the Electoral Commission who clearly don't have a scooby.

          2. Winkypop Silver badge

            Re: "The registers did not include the details of anyone who registered anonymously."

            I blame those pesky kids!

        2. Binraider Silver badge

          Re: "The registers did not include the details of anyone who registered anonymously."

          Indeed, certain terrorist outfits active in the 80s would be very interested in knowing where military personnel reside.

          When one thinks about it, at the moment your identity and data is made of a dozen databases that corroborate each other. Voters roll, passport, dvla, nhs, etc. each org needs to duplicate this capability and security around it.

          Why don’t we choose to do it once, well, rather than multiple times on a shoestring?

          1. R Soul Silver badge

            Why don’t we choose to do it once, well, rather than multiple times on a shoestring?

            Several reasons.

            1) There's no such thing as a government IT system that works well - and no hope of ever having one.

            2) All the organisations (and the rest) have different requirements and priorities, sometimes mutually exclusive - both internally and with each other.

            3) Such a database would be prone to abuse. Why should some PFY at the council (say) get to see or change your passport data?

            4) A database like that would be a remarkably bad SPoF.

            5) The database would be an Orwellian nightmare far beyond anything in Blunkett, Bliar and New Liebour's wettest wet dreams.

            6) A future government will surely extend and misuse that database: "your car doesn't have an MOT:: no heart transplant for you", "let's sell off the data to that nice Mr Musk/Thiel/Bezos/Beardie/Zuckerberg", "would you like to try our new ad platform google?", etc?

            7) The consequences for the individual of a false positive/negative would be devastating.

            8) Crapita would get the contract to run it all.

            There are bound to be more. These are just the ones that popped up after thinking about it for a second or two.

  10. cantankerous swineherd

    another complex attack, presumably someone clicked the link in the email

  11. t245t
    Big Brother

    It was the Russians says the GCHQ /s

    On BBC R4 this afternoon David Omand formerly of the GCHQ, said it had to be the Russians. Because they also interfered in the US elections. Even though the only people who interfered in the US elections was the DNC and the Clinton campaign in collusion with Christopher Steele formerly of the MI6 /s

    BBC R4: 08/08/2023: PM: 36:46 - 42:51: “Afternoon news and current affairs programme, reporting on breaking stories and summing up the day's headlines

    "We regret that sufficient protections were not in place to prevent this cyber-attack," Electoral Commission Chief Executive Shaun McNally said in a statement. "Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems."

    I suspect such systems are rendered insecure precisely so as the spooks can hoover-up all out ‘confidential’ files. Purely in the interests of protecting us from the terr'ists /s

    1. Anonymous Coward
      Anonymous Coward

      fake news

      "Even though the only people who interfered in the US elections was the DNC and the Clinton campaign in collusion with Christopher Steele formerly of the MI6".

      Didn't the lizard people do this too? Or have you been watching very unhealthy amounts of Faux News and other Trumpish bullshit?

    2. ScottishYorkshireMan

      Re: It was the Russians says the GCHQ /s

      I guess if it was the Russians it must be ok then, after all, some useless tub of lard put a Russian in the House of Lords, to the delight of those who favour Blue corruption.

  12. Anonymous Coward
    Anonymous Coward

    Funny

    As someone who has to deal with them, when we've uploaded registers they normally stay there for ages. Recently, we noticed they'd get them and shortly after delete.

    So when they say "It was a sophisticated attack" I suspect it wasn't. I suspect it was a case of "No we're not paying for an IT security test as it costs too much..blah blah blah".

  13. JimmyPage

    I would bet a pound to a penny

    That this data is now being used to plan the Tories next election campaign.

    1. J.G.Harston Silver badge

      Re: I would bet a pound to a penny

      Why go to that bother? Political parties and election candidates get the data by virtue of being political parties and election canidates anyway.

      1. Anonymous Coward
        Anonymous Coward

        Re: I would bet a pound to a penny

        They get that data with conditions and strings.

        Stolen data has no such baggage.

  14. Anonymous Coward
    Anonymous Coward

    Nice Governance going on here...

  15. Boris the Cockroach Silver badge
    Facepalm

    Any bets on the

    server having a root account of 'admin' and a password of '1234' ?

    And answers as to "why wasn't this data encrypted?"

  16. amanfromMars 1 Silver badge

    J’accuse.

    It doesn't help if the organization responsible for the integrity of elections' gets pwned

    Small beer and potatoes and just something of a temporary distraction whenever elected government ministers and administrative executive offices are being realised as already so very easily pwned and not in command and control of anything leading bleeding cutting edge and creditworthy.

    And just as the news is reporting it to you daily with the assistance of their hosting with the presentation of assorted fantastic tales of more doom and gloom and mayhem and madness and chaos and terror for them to fail spectacularly to effectively curtail and prevent ..... and deal with otherworldly wisely.

    Nodding donkeys leading pussy cat lions with lunatics in charge of asylum seekers is the current very accurate descriptor of all present running Great Game states of geopolitically incorrect and inept national and international and internetional play which have neither any good idea nor a master plan with solutions to resolve the situation and move everything on by quantum leaps and almighty bounds.

  17. jmch Silver badge

    Anonymous Registration???

    "The registers did not include the details of anyone who registered anonymously..."

    How dos this work??? If someone registers anonymously, how do the electoral commission know who it is, whether they are eligible to vote, how is it ensured that this person only voted once etc etc???

    1. Anonymous Coward
      Anonymous Coward

      Re: Anonymous Registration???

      You receive a polling card in the post in a handwritten white envelope with a real stamp on it to show at the polling station. I don't know how this works with HMG's voter suppression rules.

    2. J.G.Harston Silver badge

      Re: Anonymous Registration???

      The Electoral Commission don't know. All the EC have is just a backup copy of the public register, not the background admin documentation.

      The local council election office - who are in charge of actually doing elections - are the ones who know. They are the ones responsible for ensuring an elector votes no more than once, by the simple expediant of printing the polling station register with all postal voters removed or corssed out, and drawing a line through the name on the polling station register once the ballot has been handed to the elector - and of course, only handing a ballot to an elector whos name has not been crossed out.

  18. Anonymous Coward
    Anonymous Coward

    perhaps

    storing voters' ID images within the system would be the right trajectory. Trust & verify, as my good old comrade used to say.

    1. Anonymous Coward
      Anonymous Coward

      Re: perhaps

      Because postal votes aren't a thing?

  19. Anonymous Coward
    Anonymous Coward

    You GET exactly

    What you don’t pay for.

  20. Anonymous Coward
    Anonymous Coward

    Dates

    There is the reference to 2014 to 2022. Does this mean people who actually registered between those dates, or does it also include people who were already registered before 2014 and are still registered at the same address?

    1. Jason Bloomberg Silver badge

      Re: Dates

      I believe that everyone registers every year. 'Same as before' is just for convenience. So it's presumably anyone who was registered in any year between 2014 and 2022, which explains the huge 40 million figure.

    2. J.G.Harston Silver badge

      Re: Dates

      It will be whatever the 2014 electoral register was, regardless of whether those people on that register were new residents or had been there for ages. The register includes no residency length information, the only way you can calculate this is by having multiple registers over multiple years and tracking the address through each subsequent year's register.

      I actually did this a while ago. I was working out how long my grandparents had lived at a certain address. I started with the 1950 register and found them, checked each year going backwards until they disappeared in the 1947 register, and checked each year going forwards until they disappeared on the 1960 register. So they lived at this address from 1948 to 1959.

  21. Fruit and Nutcase Silver badge
    Joke

    Palantir

    I think the government should step in and ask Palantir to provide all the data handling and analysis for the Electoral Commission

    1. xyz Silver badge

      Re: Palantir

      And they could lend a hand to NI plod too who seem confused about what the "enter" key does.

      1. Fruit and Nutcase Silver badge

        Re: Palantir

        Bound to hear some government type wanting to limit FOI requests or disband them all together.

  22. Zippy´s Sausage Factory
    Unhappy

    No doubt the UK government will use this as evidence to make Voter ID more strict as well as the banning encryption nonsense.

  23. Anonymous Coward
    Anonymous Coward

    Article Image

    Please fix the image attached to the article. Stop showing our UK flag upside down. Top left needs to have the thicker white stripe at the top. When you display it with the thin strip uppermost it is a distress signal. Or maybe that is intentional?

    It is like us showing the stars and stripes with the stars in the bottom left corner.

    Pedant icon required ===>

  24. Anonymous Coward
    Anonymous Coward

    There are fundamental questions that the Commission need to answer and the ICO must push them to respond to:

    Why are the Commission asserting that this does not poses a high level of risk to data protection and privacy rights and freedoms?

    How does this impact the financial sector, noting that electoral registration is used as a check for credit referencing? Have these processes been impacted/compromised?

    Has/Could the electoral register been compromised during the time of the attack - both in terms of edits but also correspondance with local authorities?

    Why did it take the Commission so long before disclosing this breach to the public?

    How did this breach occur?

  25. Anonymous Coward
    Anonymous Coward

    "the commission's Exchange server"

    Quelle surprise. Exchange means a Windows server.

    Now, I am not for one moment going to claim that Unix/Linux servers are unhackable, but they usually tend to be harder to hack (and, dare I say it, the sysadmins tend, because of the nature of the job, to be more clueful and knowledgeable, and take security more seriously, rather than just clicking through some setup wizard and not taking care to lock down all aspects of the system such as firewalls, accounts, services, etc). And also so many of these Windows attacks seem to involve social engineering, with a non-technical Windows user being convinced to open a link or attachment that allows malware on to their computer, which then infects the rest of the Windows-based network.

    Is it perhaps time to start asking why on earth Windows-based servers are facing the external internet in these organisations at all? Certainly a lot of email/web/database/etc services could be run on Linux servers far more cheaply (massively reduced or no software licensing costs for starters) and those computers that do need to run Windows could be sectioned off into their own plague pit within the network, and not allowed to connect to the outside world directly at all?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like