Skip to main contentSkip to navigationSkip to navigation
Print subscriptions
Sign in
Search jobs
Search
The Guardian - Back to homeThe Guardian
A voter at a polling station in Stalybridge
A voter at a polling station in Stalybridge. The 2021 attack resulted in hackers accessing copies of electoral registers, equating to names and addresses of 40 million people. Photograph: Anthony Devlin/Getty Images
A voter at a polling station in Stalybridge. The 2021 attack resulted in hackers accessing copies of electoral registers, equating to names and addresses of 40 million people. Photograph: Anthony Devlin/Getty Images

Electoral Commission failed cybersecurity test in same year as hack

This article is more than 10 months old

UK election watchdog admits it did not pass assessment in 2021, when voter data security was breached

The Electoral Commission has admitted it failed a cybersecurity test in the same year that hackers successfully attacked the organisation.

The UK’s elections watchdog said it did not pass a Cyber Essentials test, a voluntary government-backed scheme that assesses an organisation’s readiness against cyber-attacks.

The commission said it had failed the test in 2021, when it was breached by an unknown assailant.

The organisation revealed last month that it had been a target of a “complex cyber-attack” that resulted in hackers accessing reference copies of the electoral registers, equating to the names and addresses of 40 million people. It said the attack started in August 2021 and was not detected until October 2022.

The commission said it did not pass the test due to two issues unrelated to the hack: an earlier version of Windows software on some laptops and a dated version of staff mobiles. It said those problems were not linked to the attack, which affected the organisation’s email servers.

A spokesperson said: “We are always working to improve our cybersecurity and systems. We draw on the expertise of the National Cyber Security Centre, as many public bodies do, to continue to develop and progress protections against cyber-threats. We regularly seek guidance and feedback on our systems to deal with the continued risk of cyber-threats as they evolve and take different forms. We welcome these learnings and act on them.”

The Cyber Essentials website states that the scheme is important because vulnerability to basic attacks marks organisations out as targets for “more in-depth unwanted attention from cybercriminals and others”.

Experts said the admission pointed to lax IT security at the organisation. “Failing such basic measures is not a good look,” said Alan Woodward, a professor of cybersecurity at Surrey University.

skip past newsletter promotion

Steven Murdoch, a professor of security engineering at University College London, said: “Failing to meet fundamental patching requirements is a pretty good indication that there are deeper problems with management of and investment in information security.”

Explore more on these topics
Share
Reuse this content

More on this story

More on this story

  • Change postal voting laws to ease pressure on system, say UK election organisers

  • Boundary changes may reduce access to MPs in UK’s poorest areas, research finds

  • Britons living overseas for over 15 years likely to win voting right before next election

  • More forms of ID may be allowed for UK voters after damning report

  • Hundreds of thousands face exclusion over voter ID laws, UK watchdog says

  • Voter ID in England led to racial and disability discrimination, report finds

  • What are Labour’s plans for giving foreign nationals the right to vote?

  • Hacked UK voter data could be used to target disinformation, warn experts

Most viewed

Most viewed