UK Electoral Commission failed basic cybersecurity test before attack | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The UK’s Electoral Commission failed a basic cybersecurity test around shortly before it suffered a cyberattack in which with hackers gained access to registers that contained the names and addresses of voters. That’s according to a report by the BBC which claims the commission was given an automatic fail during a Cyber Essentials audit, which it is still yet to pass.

Cyber Essentials is a UK government scheme that certifies organisations against cybersecurity standards. Launched in 2014, it offers two certification types: basic Cyber Essentials and Cyber Essentials Plus. Both have a set of cybersecurity requirements that organisations must meet to achieve accredited status. The government requires all suppliers bidding for contracts involving the handling of certain sensitive and personal information to hold an up-to-date Cyber Essentials certificate.

UK Electoral Commission failed Cyber Essentials test in “multiple areas”

However, the commission failed in multiple areas when it tried to become certified in 2021, according to the BBC. One reason it failed the test was that around 200 staff laptops were running obsolete and potentially insecure software, the report said. A spokeswoman for the Commission admitted the failings but claims they weren’t linked to the cyberattack that impacted email servers. Auditors also issued the failure because staff were using old iPhones no longer supported by Apple to receive security updates, the BBC wrote.

The Electoral Commission told the BBC it did not apply for Cyber Essentials in 2022. “We are always working to improve our cybersecurity and systems and draw on the expertise of the National Cyber Security Centre – as many public bodies do – to continue to develop and progress protections against cyberthreats,” it said in a statement.

Election watchdog failed to discover system hack for 15 months

Last month, the commission revealed that “hostile actors” accessed its emails and potentially the data of 40 million voters. It was revealed that, although attackers first gained access to electoral registers and email system in August 2021, it took until October 2022 for it to be identified when the electoral body became aware of a suspicious pattern of log-in requests being made to its systems. It has not yet been revealed who carried out the intrusion or how the commission was breached.

At the time, the commission said while it was “not able to know conclusively” what information was accessed, the personal data most likely to have been accessible included names, addresses, email addresses, and any other personal data sent to the commission by email or held on the electoral registers.

“We regret that sufficient protections were not in place to prevent this cyberattack,” said Shaun McNally, the Electoral Commission chief executive, in a statement. “Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems.”

In line with requirements under data protection law, McNally said the Electoral Commission notified the Information Commissioner’s Office (ICO) within 72 hours of identifying the breach.


Click Here For The Original Source.

National Cyber Security