The Electoral Commission has been reprimanded by the Information Commissioner’s Office (ICO) after hackers gained access to servers that contained the personal information of around 40 million people.

In August 2021, criminals were able to hack the Commission’s Microsoft Exchange server by impersonating a user account and exploiting known software vulnerabilities in the system that had not been secured.

The ICO said Until October 2022 – over a year later – the attackers had access to the personal information held on the Electoral Register, including names and home addresses.

The servers were accessed on several occasions without the Electoral Commission’s knowledge.

The regulator said that after carrying out an investigation, it found that the Electoral Commission did not have appropriate security measures in place to protect the personal information it held.

In particular, the organisation found that it did not ensure its servers were kept up to date with the latest security updates, with security patches for the vulnerabilities exploited in the cyber-attack released in April and May 2021, months before the attack.

It went on to say that the Commission did not have sufficient password policies in place at the time of the attack, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk.

“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened," said Stephen Bonner, deputy commissioner, ICO. "By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers."

Bonner assured the public that while an "unacceptably" high number of people were impacted, the ICO has no reason to believe any personal data was misused.

---