Electoral Commission failed cybersecurity test in same year as hack

The commission said it had failed the test in 2021, when it was breached by an unknown assailant.

The organisation revealed last month that it had been a target of a “complex cyber-attack” that resulted in hackers accessing reference copies of the electoral registers, equating to the names and addresses of 40 million people. It said the attack started in August 2021 and was not detected until October 2022.

The commission said it did not pass the test due to two issues unrelated to the hack: an earlier version of Windows software on some laptops and a dated version of staff mobiles. It said those problems were not linked to the attack, which affected the organisation’s email servers.

A spokesperson said: “We are always working to improve our cybersecurity and systems. We draw on the expertise of the National Cyber Security Centre, as many public bodies do, to continue to develop and progress protections against cyber-threats. We regularly seek guidance and feedback on our systems to deal with the continued risk of cyber-threats as they evolve and take different forms. We welcome these learnings and act on them.”

The Cyber Essentials website states that the scheme is important because vulnerability to basic attacks marks organisations out as targets for “more in-depth unwanted attention from cybercriminals and others”.

Experts said the admission pointed to lax IT security at the organisation. “Failing such basic measures is not a good look,” said Alan Woodward, a professor of cybersecurity at Surrey University.

Steven Murdoch, a professor of security engineering at University College London, said: “Failing to meet fundamental patching requirements is a pretty good indication that there are deeper problems with management of and investment in information security.”