Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Surging Progressive Once Said Black Democratic Leaders ‘Defang The White Left’

    July 12, 2026

    10 Hacks Every Google Home User Should Know

    July 11, 2026

    What Happens If Donald Trump Dies In Office?

    July 11, 2026
    Facebook X (Twitter) Instagram
    Trending
    • Surging Progressive Once Said Black Democratic Leaders ‘Defang The White Left’
    • 10 Hacks Every Google Home User Should Know
    • What Happens If Donald Trump Dies In Office?
    • The 4 S’s of YouTube Success
    • ‘Too Good To Be True’: Many Parents Are Wary Of Opening A Trump Account. Here’s Why Financial Experts Say They Should.
    • Author: ‘Highly Classified’ Trump Meeting Had Strange Interruption
    • AAVE Price Prediction: $100 Is the Line in the Sand — Here’s What Comes Next
    • Maggie Haberman Reveals A Growing Disconnect Between Trump And His Own Team
    Facebook X (Twitter)
    SBM Global News
    Demo
    • Home
    • Top Stories
      • Politics
    • Business
      • Small Business
      • Marketing
    • Finance
      • Investment
    • Technology

      Oratomic raises $300M to build a viable quantum computer that needs only 20K qubits

      July 11, 2026
      Read More

      GRC3 – Company Profile – AllBusiness.com

      July 10, 2026
      Read More

      Truecaller clashes with India’s telecom regulator over anti-spam rules

      July 9, 2026
      Read More

      American Security Devices – Company Profile

      July 8, 2026
      Read More

      X adds a video editor to encourage creators to post original content, not stolen reposts

      July 8, 2026
      Read More
    • Lifestyle
      • Travel
    • Feel Good
    • Get In Touch
    SBM Global News
    Demo
    Home»Technology»How the theft of 40M UK voter register records was entirely preventable
    Technology

    How the theft of 40M UK voter register records was entirely preventable

    By Staff WriterAugust 3, 20248 Mins Read
    Facebook Twitter LinkedIn Reddit Email
    #image_title
    Share
    Facebook Twitter LinkedIn Pinterest Email

    A cyberattack on the U.K. Electoral Commission that resulted in the data breach of voter register records on 40 million people was entirely preventable had the organization used basic security measures, according to the findings from a damning report by the U.K.’s data protection watchdog published this week.

    The report published by the U.K.’s Information Commissioner’s Office on Monday blamed the Electoral Commission, which maintains copies of the U.K. register of citizens eligible to vote in elections, for a series of security failings that led to the mass theft of voter information beginning August 2021.

    The Electoral Commission did not discover the compromise of its systems until more than a year later in October 2022 and took until August 2023 to publicly disclose the year-long data breach.

    The Commission said at the time of public disclosure that the hackers broke into servers containing its email and stole, among other things, copies of the U.K. electoral registers. Those registers store information on voters who registered between 2014 and 2022, and include names, postal addresses, phone numbers and nonpublic voter information.

    The U.K. government later attributed the intrusion to China, with senior officials warning that the stolen data could be used for “large-scale espionage and transnational repression of perceived dissidents and critics in the U.K.” China denied involvement in the breach.

    The ICO issued its formal rebuke of the Electoral Commission on Monday for violating U.K. data protection laws, adding: “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.” 

    For its part, the Electoral Commission conceded in a brief statement following the report’s publication that “sufficient protections were not in place to prevent the cyber-attack on the Commission.” 

    Until the ICO’s report, it wasn’t clear exactly what led to the compromise of tens of millions of U.K. voters’ information — or what could have been done differently.

    Now we know that the ICO specifically blamed the Commission for not patching “known software vulnerabilities” in its email server, which was the initial point of intrusion for the hackers who made off with reams of voter data. The report also confirms a detail as reported by TechCrunch in 2023 that the Commission’s email was a self-hosted Microsoft Exchange server.

    In its report, the ICO confirmed that at least two groups of malicious hackers broke into the Commission’s self-hosted Exchange server during 2021 and 2022 using a chain of three vulnerabilities collectively referred to as ProxyShell, which allowed the hackers to break in, take control, and plant malicious code on the server. 

    Microsoft released patches for ProxyShell several months earlier in April and May 2021, but the Commission had not installed them.

    By August 2021, U.S. cybersecurity agency CISA began sounding the alarm that malicious hackers were actively exploiting ProxyShell, at which point any organization that had an effective security patching process in place had already rolled out fixes months ago and were already protected. The Electoral Commission was not one of those organizations.

    “The Electoral Commission did not have an appropriate patching regime in place at the time of the incident,” read the ICO’s report. “This failing is a basic measure.”

    Among the other notable security issues discovered during the ICO’s investigation, the Electoral Commission allowed passwords that were “highly susceptible” to have been guessed, and that the Commission confirmed it was “aware” that parts of its infrastructure were out of date.

    Demo

    ICO deputy commissioner Stephen Bonner said in a statement on the ICO’s report and reprimand: “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.” 

    Why didn’t the ICO fine the Electoral Commission?

    An entirely preventable cyberattack that exposed the personal data of 40 million U.K. voters might sound like a serious enough breach for the Electoral Commission to be penalized with a fine, not just a reprimand. Yet, the ICO has only issued a public dressing-down for the sloppy security. 

    Public sector bodies have faced penalties for breaking data protection rules in the past. But in June 2022 under the prior conservative government, the ICO announced it would trial a revised approach to enforcement on public bodies. 

    The regulator said the policy change meant public authorities would be unlikely to see large fines imposed for breaches for the next two years, even as the ICO suggested incidents would still be thoroughly investigated. But the sector was told to expect increased use of reprimands and other enforcement powers, rather than fines. 

    In an open letter explaining the move at the time, information commissioner John Edwards wrote: “I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”

    At a glance, it might look like the Electoral Commission had the good fortune to discover its breach within the ICO’s two-year trial of a softer approach to sectoral enforcement.

    In concert with the ICO saying it would test fewer sanctions for public sector data breaches, Edwards said the regulator would adopt a more proactive workflow of outreach to senior leaders at public authorities to try to raise standards and drive data protection compliance across government bodies through a harm-prevention approach.

    However, when Edwards revealed the plan to test combining softer enforcement with proactive outreach, he conceded it would require effort at both ends, writing: “[W]e cannot do this on our own. There must be accountability to deliver these improvements on all sides.”

    The Electoral Commission breach might therefore raise wider questions over the success of the ICO’s trial, including whether public sector authorities have held up their side of a bargain that was supposed to justify the softer enforcement. 

    Certainly it does not appear that the Electoral Commission was adequately proactive in assessing breach risks in the early months of the ICO trial — that is, before it discovered the intrusion in October 2022. The ICO’s reprimand dubbing the Commission’s failure to patch known software flaw as a “basic measure,” for example, sounds like the definition of an avoidable data breach the regulator had said it wanted its public sector policy shift to purge. 

    In this case, however, the ICO claims it did not apply the softer public sector enforcement policy in this case. 

    Responding to questions about why it didn’t impose a penalty on the Electoral Commission, ICO spokeswoman Lucy Milburn told TechCrunch: “Following a thorough investigation, a fine was not considered for this case. Despite the number of people impacted, the personal data involved was limited to primarily names and addresses contained in the Electoral Register. Our investigation did not find any evidence that personal data was misused, or that any direct harm has been caused by this breach.”

    “The Electoral Commission has now taken the necessary steps we would expect to improve its security in the aftermath, including implementing a plan to modernise their infrastructure, as well as password policy controls and multi-factor authentication for all users,” the spokesperson added. 

    As the regulator tells it, no fine was issued because no data was misused, or rather, the ICO didn’t find any evidence of misuse. Merely exposing the information of 40 million voters did not meet the ICO’s bar. 

    One might wonder how much of the regulator’s investigation was focused on figuring out how voter information might have been misused? 

    Returning to the ICO’s public sector enforcement trial in late June, as the experiment approached the two-year mark, the regulator issued a statement saying it would review the policy before making a decision on the future of its sectoral approach in the fall. 

    Whether the policy sticks or there’s a shift to fewer reprimands and more fines for public sector data breaches remains to be seen. Regardless, the Electoral Commission breach case shows the ICO is reluctant to sanction the public sector — unless exposing people’s data can be linked to demonstrable harm. 

    It’s not clear how a regulatory approach that’s lax on deterrence by design will help drive up data protection standards across government.

    View original article here

    Share. Facebook Twitter LinkedIn Email Reddit
    Previous ArticleHunter Biden To Be Sentenced On Gun Charges In November
    Next Article Directional Reporting in GA4 — Whiteboard Friday

    Related Posts

    Oratomic raises $300M to build a viable quantum computer that needs only 20K qubits

    July 11, 2026
    Read More

    GRC3 – Company Profile – AllBusiness.com

    July 10, 2026
    Read More

    Truecaller clashes with India’s telecom regulator over anti-spam rules

    July 9, 2026
    Read More
    Add A Comment

    Leave A Reply Cancel Reply

    Demo
    Top Posts

    Former FBI, CIA Head Has ‘Serious Concerns’ With Trump Cabinet Picks

    December 28, 2024435

    Emirates to operate next-gen A350 on the third daily service to Cape Town

    January 14, 2026256

    AAVE Price Prediction: Target $215-225 by Mid-January 2025 as Technical Indicators Signal Bullish Momentum

    December 15, 2025240

    Ventive Hospitality Joins Green Fins: Strong ESG Lift

    February 17, 2026211
    Don't Miss
    Politics

    Surging Progressive Once Said Black Democratic Leaders ‘Defang The White Left’

    By Staff WriterJuly 12, 20266 Mins Read

    WASHINGTON – A progressive House candidate whose surge in a battleground district in Michigan has…

    Read More

    10 Hacks Every Google Home User Should Know

    July 11, 2026

    What Happens If Donald Trump Dies In Office?

    July 11, 2026

    The 4 S’s of YouTube Success

    July 11, 2026
    Stay In Touch
    • Facebook
    • Twitter
    Demo
    About Us

    Small Business Minder brings together business and related news from around the world in one place. Follow us for all the business news you'll need.

    Facebook X (Twitter)
    Our Picks

    Surging Progressive Once Said Black Democratic Leaders ‘Defang The White Left’

    July 12, 2026

    10 Hacks Every Google Home User Should Know

    July 11, 2026
    Most Popular

    Former FBI, CIA Head Has ‘Serious Concerns’ With Trump Cabinet Picks

    December 28, 2024435

    Emirates to operate next-gen A350 on the third daily service to Cape Town

    January 14, 2026256
    © 2026 Small Business Minder
    • Home
    • Get In Touch

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. To get the most from our site, please disable your Ad Blocker.