Reading:
Millions of UK voters' data exposed: Electoral Commission reprimanded over cybersecurity lapse
The membership for software testing professionals image
Join thousands of other software testers in levelling up their careers

Millions of UK voters' data exposed: Electoral Commission reprimanded over cybersecurity lapse

A wake-up call for software testers

The UK's data privacy watchdog has issued a formal reprimand to the Electoral Commission following revelations that millions of UK voters' personal details were left exposed to hackers due to outdated software and unchanged passwords. The Information Commissioner's Office (ICO) uncovered that cyber-attackers accessed the Electoral Registers, containing sensitive voter information, from August 2021 until they were expelled in 2022.Ā 

So what? This breach underscores the urgent need for effective security testing. Unauthorised access to voter data, including personal information like names and addresses, has potentially compromised the integrity of electoral systems.

  • Beginning in August 2021 cyber-attackers were able to access computers containing the Electoral Registers
  • It was only spotted when an employee reported that spam emails were being sent from the commission's own email server
  • The hack was resolved in 2022
  • Software updates which fixed the security holes had been available for months before the attack, but theĀ Electoral Commission had failed to apply them.
  • The EC did not have an "appropriate" policy in place to ensure employees were using secure passwords.
  • This unauthorised access to voter data, included personal information like names and addresses
  • This data included details of 40 million voters, majority of data not available publicly
  • This attack has potentially compromised the integrity of electoral systems
  • The data accessed when this attack took place does not impact how people register, vote, or participate in democratic processes
  • It has has no impact on the management of the electoral registers or on the running of elections
  • TheĀ UK EC released a statement today, 30th July, statingĀ  ā€œit regretted that sufficient protections were not in place to prevent the cyber-attack.ā€
  • The current Information Commissioner's Office (ICO) deputy commissioner has confirmed it could have been prevented
  • The Electoral Commission has since committed to enhancing its cybersecurity protocols to prevent future attacks.

Why bother? The ICO have various powers to take action for a breach of the UK GDPR or DPA (2018). Tools at their disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, they have the power to issue fines of up to Ā£17.5 million or 4% of your annual worldwide turnover, whichever is higher.

The ICO also work with the National Cyber Security Centre, in their role as a NIS competent authority, and in the immediate response phase to cyber-attacks which lead to breaches of personal data.

Yet somehow, a statement on this was not released by the ICO until 08 August 2023. Despite the issue being ā€œresolved in 2022ā€.Ā 

As voters, personal information is an important part of political campaigning - it allows political parties to get crucial messages to voters and helps them to understand the key issues for different people. In May 2023 John Edwards, the Information Commissioner wrote to political parties reminding them of their data protection obligations. But why were the general public not made aware, was this in the news for all to hear? Could we have been swayed if a political party was using profiling techniques? Could China have caused a result to infer gain? If the ICO takes action against organisations for "risking public trust" by failing to respond to public requests for information or allowing hacks with poor process - how does that work with our own Government? A formal reprimand is not enough.Ā 

What's moreā€¦as software testing professionals there are always lessons to be learned.

Importance of Rigorous Security Testing:

  • Remember - these breaches always affect peopleĀ 
  • Regularly perform comprehensive security assessments to identify vulnerabilities
  • Use both automated and manual penetration testing to discover potential weaknesses
  • This can all be done from the design stage

Data Protection Protocols:

  • Ensure sensitive data is encrypted both at rest and in transit
  • Keep systems updated and patched to defend against known exploits

Incident Response Planning:

  • Develop and maintain an incident response plan to quickly address breaches
  • Conduct drills with your teams to ensure readiness and efficiency in handling actual incidents

Compliance and Good Practices:

  • Stay informed about industry standards and best practices for Cybersecurity
  • Ensure compliance with relevant regulations, such as GDPR, to protect user data

Be Prepared:

  • If you donā€™t know anything about security testing yet, dip your toe in the water
  • Get informed about Threat Modelling, OWASP
  • Try basic Security Testing your API with good tools
  • Ensure compliance with relevant regulations, such as GDPR, to protect user data
  • Use our Security Collection to get you started or refresh your knowledge

This breach serves as a crucial reminder for software testers to prioritise security in their testing processes, to make sure we are using our ā€œTesting Toolboxā€ items like Risk Storming, our Oracle knowledge and Heuristics. Proactive and thorough security measures are essential to safeguard sensitive information and maintain trust in digital systems.

Resources

Ā 

Aj Wilson
She/Her
Technical Development & Engineering Manager
Quality Leadership
Rosie Sherry
She/Her
CEO & Founder at Ministry of Testing
Hey! I'm Rosie. I started MoT and continue to lead it in the best way I can. I got into testing in the year 2000!
The membership for software testing professionals image
Join thousands of other software testers in levelling up their careers
Explore MoT
Episode Eight: Exploring Quality Engineering image
Land on the quality engineering planet!
MoT Foundation Certificate in Test Automation
Unlock the essential skills to transition into Test Automation through interactive, community-driven learning, backed by industry expertise
This Week in Testing
Debrief the week in Testing via a community radio show hosted by Simon Tomes and members of the community
Subscribe to our newsletter
We'll keep you up to date on all the testing trends.