The British electoral commission on Tuesday (8th August 2023), disclosed an advanced cyberbreach, exposing over 40-million Britons voting information’s.
According to their report, the attack was ongoing for over 12-months without being noticed. A declaration on their official website in reference to the electoral commission law of article 34 and 34 of the UK general data protection:
“This notification gives important information about the personal data affected, the potential impact on individuals, and measures we’ve taken in response to a complex cyber-attack. The incident was identified in October 2022 after suspicious activity was detected on our systems. It became clear that hostile actors had first accessed the systems in August 2021.”
The unauthorized access by the attackers gave them entry to the electoral commissions server that is responsible in holding sensitive data such as emails, control systems, and copies of electoral registers.
The commission stated that these threat actors were able to access British electoral commission server, exposing voter’s data of over 40 million Britons, which is in custody of the electoral commission for research purposes; with matters related to political donations.
Sensitive information, such as names and residential address of eligible voters registered for over 8-years (between the year 2014 to 2022), were exfiltrated by the threat groups. Also, information belonging to registered voters of British citizen living overseas were also part of the stolen records.
The commission made a public apology on their website stating:
“We understand the concern this attack may cause and apologise to those affected. Since the attack was discovered, we have worked with security specialists to investigate the incident and have taken actions to secure our systems, and reduce the risk of future attacks.”
A public notification was made by the commission stating the list of sensitive data that were affected by the cyber-attack in a statement issued:
“It is our assessment that the information affected by this breach does not pose a high risk to individuals’ ad this notification is being given due to the high volume of personal data potentially viewed or removed during the cyber-attack.”
The List of Sensitive Data Stolen:
The list of sensitive data stolen are the following from the commissions email system:
- Name, first name and surname.
- Email addresses (personal and/or business)
- Home addresses if included in a webform or email.
- Contact telephone number (personal and/or business).
- Content of the webform and email that may contain personal data.
- Date on which a person achieves voting age that year.
Other stolen information includes electoral data not held by the commission such as: anonymous registrations, address of overseas electors registered outside of the UK.
IMPACT:
The commission risk assessment team disclosed that the procedures utilized in accessing the system to ascertain the damage done, shows that information such as name and address does not pose a high risk to its citizens or individuals.
However, the possibility that the information stolen, combined with other public data from other sources shared by these individuals, can be utilized by the attacker to build a profile on the individual. Furthermore, information held in the email server that was compromised do not impose high risk as well; exception, is if individuals have sent sensitive information’s such as medical conditions, gender, sexuality, and personal financial details in an email message body.
The commission assured the citizens saying:
“No immediate action needs to be taken in response to this notification. However, anyone who has been in contact with the commission, or who was registered to vote between 2014 and 2022, should remain vigilant for unauthorized use or release of their personal data. If you have concerns over personal data which you may have sent to the commission, please contact our Data protection officer.”
Mitigation:
The commission provided a list of mitigation. In a notice, it was announced that they have taken steps to secure their systems against possible future attacks.
“We have strengthened our network login requirements, improved the monitoring and alert systems for active threats and reviewed and updated our firewall policies.”
Also, it is noted that the commission has worked hard with external security professionals and the National Cyber Security Centre (NCSC), to carryout an investigation and secure their systems.
Hopefully, the system should be able to withstand future attacks, if proper security measures that were put in place, is strong enough to wade off the bad guys.
Put your comments below in the comment section on your thoughts about this.