Sign in / up

back to article UK Electoral Commission slapped for basic cybersecurity fails

The UK's Electoral Commission has received a formal slap on the wrist for a litany of security failings that led to the theft of personal data belonging to around 40 million voters. Official documents from the Information Commissioner's Office (ICO) say the people responsible for the 2021 cyberattack on the Electoral …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. jake Silver badge
    Pint

    Methinks the political spin is strong in this one.

    In the tiny little corrupt minds of politicians, saying "around 40 million voters" somehow sounds better than "the entire electoral roll".

    Note: I'm guessing there are somewhere around 45 million voters in the UK. If I'm wrong, I'm sure I'll be corrected. Ta in advance, have a beer.

    21 1 Reply
    1. Doctor Syntax Silver badge
      Reply Icon

      Re: Methinks the political spin is strong in this one.

      Much of the electoral roll is public anyway.

      10 3 Reply
      1. veti Silver badge
        Reply Icon

        Re: Methinks the political spin is strong in this one.

        That's what I was thinking. Every political candidate has access to this data, they use it for their statutory free mailshot during the campaign. How sensitive can it be?

        4 2 Reply
        1. I ain't Spartacus Gold badge
          Reply Icon

          Re: Methinks the political spin is strong in this one.

          Aren't companies also allowed to buy the basic electoral roll data? LIke credit reference agencies and possibly even just anyone. Or is that just that they're allowed to do a lookup against it, to match names to addresses? You used to be able to opt out of having your name publicly available, but I'm not sure if that's to companies, political parties, or both.

          2 1 Reply
          1. Andy The Hat Silver badge
            Reply Icon

            Re: Methinks the political spin is strong in this one.

            If that data is not withheld when individuals opt out of the public register I would question the legitimate use of my data under GDPR.

            In line with the article though, two questions

            1) was the non-public register data available to Mr Hacker and

            2) were those impacted notified in a reasonable time by the organisation concerned?

            Given "40million" I'd suggest answers of yes and, to my knowledge as a voter registered on the electoral roll, no.

            Which beggars the question, what's the point of pursuing the case under GDPR as, even after the case is closed, those responsible have done nothing to mitigate the situation for those impacted?

            If Google or Amazon or whoever ignored a similar situation there'd be baying for blood from all and sundry but, because it's only Government incompetence, it's ok.

            5 0 Reply
          2. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: Methinks the political spin is strong in this one.

            > Aren't companies also allowed to buy the basic electoral roll data? LIke credit reference agencies and possibly even just anyone.

            The "open register/edited register", which does not contain details of those opted-out, is available to purchase.

            The "full register" is available for free to specific organisations (such as British Library) and available to purchase by other specific organisations (such as credit reference agencies, gov departments) but not available for purchase in general.

            There's also the "marked register" in polling stations on which each person who has actually voted there is marked and anyone can inspect it afterwards.

            3 0 Reply
          3. Cav
            Reply Icon

            Re: Methinks the political spin is strong in this one.

            Yes, companies are allowed to buy the data. For example, I research my family history. Ancestry, for one, has access to current electoral roll data and offers it as hints when people are researching even living individuals.

            0 1 Reply
            1. Anonymous Coward
              Reply Icon
              Anonymous Coward

              Re: Methinks the political spin is strong in this one.

              > Yes, companies are allowed to buy the data. For example, I research my family history. Ancestry, for one, has access to current electoral roll data and offers it as hints when people are researching even living individuals.

              I would expect that Ancestry may have bought a copy of the Edited Register, not the Full Register, and therefore does not have the info of opted-out individuals.

              0 0 Reply
    2. Ken Moorhouse Silver badge
      Reply Icon

      Re: Methinks the political spin is strong in this one.

      Roll on 2031, when there is the opportunity to slurp some data about Everyone in the UK - the Census, unless it gets abolished in the meantime.

      0 3 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Methinks the political spin is strong in this one.

        > Roll on 2031, when there is the opportunity to slurp some data about Everyone in the UK - the Census, unless it gets abolished in the meantime.

        The US company Leidos were involved in the 2021 UK Census.............and they've recently been hacked (though not necessarily anything realted to the Census): https://www.reuters.com/technology/cybersecurity/hackers-leak-documents-pentagon-it-services-provider-leidos-bloomberg-news-2024-07-23/

        0 0 Reply
  2. sitta_europea Silver badge

    Government IT. Couldn't find its arse with both hands tied behind its back.

    8 3 Reply
    1. UnknownUnknown
      Reply Icon

      Puts perspective about Photo ID and other Voter obstruction or disablement (recent GE Postal Fiasco) activities well into the shade.

      1 1 Reply
  3. alain williams Silver badge

    Who was harmed, so why care ?

    This is what many will think, including those at the electoral commission. But it is clear that China thought that putting the effort into getting the data was worth while.

    The consequences for some individuals could be great, I read stories on how China issues threats to people in England who have relatives in China.

    The consequences for those at the electoral commission will be receiving a memo on security that most will not bother to read.

    There is also the notion that as they have now fixed their Microsoft Exchange that all the harm is undone and there is no need to worry. Not true: China still has a list of all voters in the UK and much of the information will not change for years (when did you last move house ?).

    12 0 Reply
  4. Mike 137 Silver badge

    As always

    "we have no reason to believe any personal data was misused and we have found no evidence that any direct harm has been caused by this breach"

    Depends how (and how hard) you look.

    8 0 Reply
    1. jokerscrowbar
      Reply Icon

      Re: As always

      My local town hall peddles the data to any bidder anyway

      The issue seems to be that someone got access for free.

      1 0 Reply
      1. Oldgroaner
        Reply Icon

        Re: As always

        Not to those who choose not to be on the publicly available list.

        5 1 Reply
    2. I ain't Spartacus Gold badge
      Reply Icon

      Re: As always

      I guess by misused they mean phishing or social engineering.

      China could be using it to find journalists or people with relatives in China, but it could also be for basic research.

      Bellingcat use various leaked Russian databases as a brilliant way to cross reference data - there seem to be large amounts of phone company records, plus I think the national driving license database got put online. They used it as a way to track the 2 GRU agents sent to murder Skripal in Salisbury. And that data also then uncovered a bunch of other GRU agents, because a pizza chain got hacked and that gave the location of a GRU office where these guys had ordered deliveries.

      The more information you can collate, the more dangerous this is. Especially if you've also got access to top line hackers, as you might be able to narrow down what data you'd need to find stuff out.

      8 0 Reply
    3. Phil O'Sophical Silver badge
      Reply Icon

      Re: As always

      And of course "sufficient protections were not in place" makes it sound like no-one's fault, and really should be "we did not put sufficient protections in place".

      I understand the reasoning behind not fining public bodies, but why not personally fine (and fire) the incompetent managers who signed off on the process?

      8 0 Reply
    4. jake Silver badge
      Reply Icon

      Re: As always

      "Depends how (and how hard) you look."

      More to the point, it depends on WHEN you look.

      Today, all may be well. Tomorrow? Next month? Next year?

      1 0 Reply
  5. Anonymous Coward
    Facepalm

    Chinese state-sponsored attackers and the Electoral Roll

    > The key takeaways, however, are that Chinese state-sponsored attackers had access to around 40 million UK voters' names and home addresses

    Why not just request access to the Open Electoral Roll, which has the same information ?

    0 2 Reply
  6. scrubber

    40 million voters

    The UK has never had 40 million voters. 40 million eligible voters, maybe, but very few people actually vote - for very good reasons.

    1 7 Reply
    1. druck Silver badge
      Reply Icon

      Re: 40 million voters

      At the UK general election last month 60% of the 48 million registered voters voted, which while it was a comparatively low turn out for a general election, can hardly be described as very few.

      Plus there is never a good reason to waste your opportunity to vote.

      5 0 Reply
  7. Mike_T.

    Until there are real penalties imposed for breaches like this nothing will change

    7 0 Reply
    1. sabroni Silver badge
      Reply Icon
      Boffin

      When there are real penalties imposed for breaches like this the change will be the management shifting the responsibility for data protection on to their underlings.

      3 0 Reply
  8. Anonymous Coward
    Anonymous Coward

    Speaking Out Of Both Sides Of Their Mouths....At The Same Time!!!!!

    Quote: "...Electoral Commission ... took 13 months to notice 40 million voters' data was compromised..."

    See also: "Revamped UK cybersecurity bill": https://www.theregister.com/2024/07/30/uk_csr_bill_analysis/

    Yup.....plenty of news about "doing something" by our lawmakers in Westmister...............

    ............but not much action in places actually responsible to the government............

    Why am I not surprised?

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like