Summary: The UK’s Information Commissioner’s Office reprimanded the Electoral Commission for failing to protect the personal data of nearly 40 million individuals during a cyberattack attributed to a Chinese state-backed hacker group. The attack exploited known vulnerabilities due to inadequate security measures and poor password policies.
Threat Actor: APT31 | APT31
Victim: Electoral Commission | Electoral Commission
Key Point :
- The breach exposed personal information of voters registered in the UK since 2014.
- The attack was facilitated by exploiting known vulnerabilities in the Electoral Commission’s Microsoft Exchange Server.
- Inadequate password policies and failure to apply security patches contributed to the breach.
- The Electoral Commission has since implemented measures to enhance its security posture, including multi-factor authentication.
- The incident serves as a warning for organizations to prioritize proactive security measures to protect personal data.
The United Kingdom’s privacy watchdog reprimanded the country’s Electoral Commission on Tuesday for failing to protect the personal information of nearly 40 million people accessed by hackers during a cyberattack three years ago.
According to the Information Commissioner’s Office (ICO), the election agency failed to ensure its systems were kept up to date with the latest security updates and did not have sufficient password policies.
“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened,” ICO Deputy Commissioner Stephen Bonner said in a statement on Tuesday.
During an attack in 2021, the threat actor accessed the personal information, including names and home addresses, of people registered to vote in the U.K. beginning in 2014.
In March, the U.K.’s National Cyber Security Centre (NCSC) attributed the breach to a Chinese state-backed hacker group named APT31.
According to the ICO, the hackers successfully accessed the Electoral Commission’s Microsoft Exchange Server by impersonating a user account and exploiting known software vulnerabilities in the system that had not been secured.
In particular, the threat actor gained access to the on-premise Microsoft server via a ProxyShell vulnerability chain, which consisted of the following security flaws: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473.
The patches for these vulnerabilities were released in April and May 2021, months before the attack, according to the ICO.
Further investigation revealed eight more vulnerabilities on the Electoral Commission’s servers. “Although not utilized on this occasion, any one of them could have been exploited by a threat actor whilst they existed on the relevant systems,” they said.
The Electoral Commission also did not have proper password policies in place at the time of the attack, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk.
“This practice of reusing passwords makes the Electoral Commission’s passwords highly susceptible to password guessing,” the ICO said.
Following the breach, the Electoral Commission took a number of steps to improve its security, including implementing a plan to modernize its infrastructure, as well as password policy controls and multi-factor authentication for all users, according to the ICO.
The reprimand “should serve as a reminder to all organizations that you must take proactive and preventative measures to ensure your systems are secure,” Bonner said.
“Do you know if your organization has installed the latest security updates? If not, then you jeopardize people’s personal information and risk enforcement action, including fines,” he added.
Recorded Future
Intelligence Cloud.
Source: https://therecord.media/elections-agency-flaws-ico-hackers
Views: 0
简体中文
Nederlands
Français
Bahasa Indonesia
日本語
Português