The UK’s electoral watchdog has been reprimanded for online security lapses that allowed the personal information of 40 million voters to be hacked.
The Information Commissioner’s Office said the Electoral Commission had failed to keep its servers up to date with the latest security updates before the data breach, which occurred in August 2021 but was not identified until October 2022.
Earlier this year, the Conservative government blamed Chinese hackers for the data breach and summoned Beijing’s ambassador to the UK to explain his country’s actions.
The US has also accused Chinese hackers of targeting American companies, officials, journalists and politicians, and the US and UK have announced joint sanctions. New Zealand has also expressed concern over China’s involvement in an attack targeting the country’s parliament in 2021.
The UK data breach reportedly resulted in Beijing accessing the personal data of some 40 million voters held by the Electoral Commission.
Stephen Bonner, deputy commissioner at the ICO, said in a statement on Tuesday: “Had the Electoral Commission taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have occurred.
“By failing to promptly install the latest security updates, their systems were left exposed and vulnerable to hackers.”
Bonner added that despite the breach, “there is no reason to believe that personal data has been misused and we have found no evidence that any direct harm has been caused.”
An Electoral Commission spokesperson said: “We regret that insufficient safeguards were in place to prevent the commission from being hacked.
“As noted and welcomed by the ICO, since the attack we have made changes to our approach, systems and processes to strengthen the security and resilience of our systems and we will continue to invest in this area.”
“Since the cyber attack, security and data protection experts – including the ICO, the National Cyber Security Centre and external specialists – have carefully examined the security measures we have put in place and have been given confidence in these measures.”
In 2023, the Electoral Commission said hackers had gained access to copies of electoral registers containing the names and addresses of anyone registered to vote in the UK between 2014 and 2022.
The watchdog has now taken steps to improve its security, including modernizing its infrastructure and introducing password policy controls and multi-factor authentication for all users.
China has consistently denied allegations of spying and wrongdoing. Lawmakers demanded a tougher stance against Beijing following the government’s statement earlier this year.
At the time, Catherine West, now minister for the Indo-Pacific, said she had warned China that a Labour government would act against interference in British democracy.
West travelled to Beijing in March for the first meeting between the Labour Party and the Chinese government since Keir Starmer became party leader. He told the Guardian he had raised Labour’s concerns about Chinese interference in British democracy and national security, stressing that “it is something we will act on in government”.
The Labour Party has pledged to conduct an audit of UK-China relations and announced a new cyber security and resilience bill in the King’s Speech.
Peter Kyle, the science secretary, said this week that Britain was “desperately exposed” to cyber threats and that national resilience had suffered “catastrophically” under the previous government.