The UK’s Data Commissioner’s Workplace (ICO) revealed in the present day that the Electoral Fee was breached in August 2021 as a result of it didn’t patch its on-premise Microsoft Trade Server in opposition to ProxyShell vulnerabilities.
In March, the U.Okay. Nationwide Cyber Safety Centre (NCSC) attributed the UK Electoral Fee breach to a Chinese language state-backed menace actor.
Tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, these security flaws have been chained to hack into the fee’s Trade Server 2016 and deploy internet shells, which allowed the attackers to realize persistence after putting in internet shells and backdoors.
Whereas Microsoft launched security updates in Could 2021 that mounted the ProxyShell vulnerability chain, the fee didn’t patch its techniques promptly, exposing them to assaults.
The assault and the deployed malware have been found on October 28, 2021, when an worker discovered that the Fee’s Trade server was getting used to ship spam emails.
Throughout the breach, the Chinese language hackers gained entry to the non-public data of round 40 million folks, together with their names, house addresses, e-mail addresses, and cellphone numbers.
Whereas the fee downplayed the affect, saying “a lot of it’s already within the public area,” solely voters’ names and addresses are publicly accessible within the U.Okay. open register.
“Our investigation discovered that the Electoral Fee didn’t have acceptable security measures in place to guard the non-public data it held,” the ICO mentioned.
“The Electoral Fee additionally didn’t have adequate password insurance policies in place on the time of the assault, with many accounts nonetheless utilizing passwords an identical or much like those initially allotted by the service desk.”
Slap on the wrist
In the present day, the ICO reprimanded the U.Okay. elections authority for failing to guard its techniques and the non-public data of tens of millions of voters.
The ICO Deputy Commissioner Stephen Bonner mentioned that if the fee “had taken primary steps to guard its techniques, reminiscent of efficient security patching and password administration, it’s extremely possible that this data breach wouldn’t have occurred.”
Nevertheless, Bonner added that the ICO has no purpose to imagine any private data was misused because it was accessed in 2021 and has but to search out proof that the breach has brought about direct hurt to impacted voters.
In August 2021, days after the U.Okay. Electoral Fee breach was disclosed, Shodan revealed that it was monitoring tens of hundreds of Trade servers weak to ProxyShell assaults.
The breach got here after the U.Okay., the U.S., and its allies blamed China’s Ministry of State Safety (MSS) for widespread assaults that hit tens of hundreds of organizations worldwide in March 2021. MSS is linked to state-backed hacking teams tracked as APT40 and APT31.
