UK Electoral Commission failed cybersecurity test before cyberattack

The UK Electoral Commission failed a National Cyber Security Centre (NCSC) Cyber Essentials test in the same year it suffered a cyberattack where details of 40 million voters were compromised.

A whistleblower told the BBC that the Commission was given an automatic fail during the cybersecurity test after assessors discovered it was non-compliant with the scheme.

A spokeswoman for the Commission admitted the failings, but claimed they were unrelated to the recent cyberattack that affected email servers. The Guardian reported issues stemmed from an earlier Windows software on some laptops and a dated version of staff mobiles.

“We regularly seek guidance and feedback on our systems to deal with the continued risk of cyberthreats as they evolve and take different forms. We welcome these learnings and act on them,” said a Commission spokesperson.

The announcement of the Commission’s failure comes after a cyberattack that was reported in August 2023. Investigations revealed that hostile actors had gained unauthorised access to the Commission’s servers as early as August 2021.

These servers housed the Commission’s emails, control systems, and copies of the electoral registers. It is not known what files were accessed.

The Commission notified the Information Commissioner’s Office (ICO) within 72 hours of identifying a possible data breach. This is in line with legal requirements.

The Electoral Commission apologised to those affected. With the support of specialists, they are taking steps to improve the security, resilience, and reliability of their IT systems.

What is the Cyber Essentials test?

The Cyber Essentials test is a Government-backed voluntary assessment of an organisation’s cybersecurity readiness.

The Government requires all suppliers bidding for contracts involving the handling of sensitive and personal information to hold an up-to-date Cyber Essentials certificate.

Certification involves more than simply ticking compliance checkbox.

“It is a solid baseline to make sure that… obvious pitfalls have been avoided, helping remove the easy wins so attackers give up or move on.

“The fact that the Electoral Commission recently failed the assessment is very worrying. Especially given that an organisation of such prominence would normally be expected to be Cyber Essentials Plus certified,” said Ryan McConechy, CTO of Cyber Protection, Detection and Response Specialist at Barrier Networks.

The NCSC stated that vulnerability to basic attacks can mark organisations as a target for more in-depth attention from cybercriminals.

“No organisation that handles the data of the UK population should ever gamble with security, the requirements of Cyber Essentials should be met as a standard practice and achieving certification should be a guarantee,” added McConechy.

As cybercriminals intensify their focus on critical government infrastructure, the need for robust protection becomes increasingly critical.

“The longer an attacker stays undetected in a network, the more damage they can do,” said Andrew Rose, Resident CISO at Proofpoint.

Hungry for more tech news?

Sign up for your weekly tech briefings!