Parsing the UK voter register cyberattack
A catastrophic breach of the United Kingdom electoral register affects tens of millions of residents following a cyberattack at the U.K. Electoral Commission.
With data on more than 40 million voters accessed by unnamed hackers, the cyberattack is already one of the U.K.’s largest ever hacks.
The Electoral Commission said the hackers accessed a “high volume” of personal information of people registered to vote in the U.K. between 2014 and 2022, including names and home addresses. The information is used for research and conducting checks on political donors. The Commission said there was no impact on the integrity of elections or any voter’s registration since “live” electoral registers are handled by local election authorities.
The cyberattack was disclosed Tuesday, more than nine months after the organization said it discovered “suspicious activity” on its network in October 2022. The Commission said the hackers first gained access more than a year earlier in August 2021.
Why the U.K. public is first hearing about it now is anybody’s guess. The Electoral Commission declined to answer our specific questions, citing an ongoing investigation by the U.K. data protection authority, the Information Commissioner’s Office. When reached, an ICO spokesperson would not say why the Commission took nine months to disclose the cyberattack.
The Electoral Commission’s website has limited details about the incident.
TechCrunch has annotated the Commission’s data breach notice with our analysis of what it says and what was left out, just as we did with the security incidents at LastPass and Samsung last year. You can tap each link and it’ll open the notice for you to follow along. Knowing what to look for when organizations publicly disclose their security incidents can help shed light on what happened.
What the Electoral Commission said in its data breach notice
The Commission is “unable” to ascertain if data was actually stolen
It’s not disputed that the hackers gained access to the Commission’s network, including its file sharing systems and email server . It’s that the Commission does not know if data was taken or exfiltrated from its systems. The Commission’s notice specifically notes: “We have been unable to ascertain whether the attackers read or copied personal data.”
The question really is, what monitoring and logging did the Commission have in place, if any, to detect or identify a data breach?
Accessed data includes voters’ names, addresses, and non-public voter information
According to the notice, the personal data accessed by the hackers includes names, email addresses and postal addresses, phone numbers and any correspondence that voters had with the Commission, including emails (more on that below). Voters registered to vote anonymously are not affected by the cyberattack, the Commission confirmed.
The compromised data does, however, include information on voters who opted out of having their information published in the public voter registers, which are available to anyone wanting to purchase.
Commission said suspicious logins flagged the hack
Buried in its notice, the Commission said it was first alerted to the attack “by a suspicious pattern of log-in requests to our systems” in October 2022. Once the Commission identified the suspicious pattern of logins, presumably the initial access was then traced back to August 2021. This means that the hackers were in the Commission’s systems for more than a year before they were noticed, and likely longer until they were fully expelled.
As a result of the security incident, the Commission said it “strengthened our network login requirements” but did not say specifically how. That could be anything from implementing two-factor authentication to simply improving their existing security protections.
“Hostile actor” likely suggests evidence of malice
The Commission described the hackers as “hostile actors,” citing its unnamed cybersecurity partners, presumably incident response with knowledge of investigating cyberattacks. We don’t know what the evidence is, or what the Commission constitutes “hostile.” Given this, we can likely conclude that whatever access or activity that the hacker gained suggests a level of malice not typically carried out by good-faith security researchers in the pursuit of reporting and fixing security flaws.
What we don’t know about the Electoral Commission hack
The Commission does not know who is behind the breach
We don’t know what the motivations of the hackers are, or whether they are financially driven or a state-backed hacker conducting espionage.
The Commission said nobody has “claimed responsibility” for the hack, suggesting that the hackers have not contacted the Commission with an extortion demand, such as a ransom to return encrypted or stolen data. The Commission also said that “we do not know who is responsible for the attack.”
This is important as it suggests neither the hackers have claimed responsibility nor has the Commission heard from the hackers. Where there isn’t a financial motivation for a cyberattack, one might instead wonder what value this data has to an adversarial nation.
It’s not known how the Commission’s email server was compromised
A key part of this cyberattack was the hackers’ access to the Commission’s email server. According to the notice, the hackers gained access to copies of the electoral registers and its email servers, which the Commission said contains “a broad range of information and data,” without specifying more.
Commission spokesperson Andreea Ghita said that as a result anyone who contacted the Commission by email or through its web form “will have provided data that was accessible as part of this attack.”
The Commission runs largely a Windows-based environment. TechCrunch identified that the Commission’s email server is a self-hosted Exchange email server, which was online until at least August 2022, per its listing in Shodan, a database for public servers and databases. The Exchange server was also fully patched at the time it was listed, according to security researcher Kevin Beaumont, who checked our findings.
However, August 2022 was the same month that hackers began exploiting a then-unpatched zero-day flaw affecting Exchange on-premise servers called ProxyNotShell, which can be abused to gain full control of an email server. At the time, there were no patches for ProxyNotShell until months later in November 2022, Beaumont said. Exploitation of ProxyNotShell was widespread across the internet.
A key question will be if the hackers gained access to the Commission’s network and then its email server, or if the email server was compromised first and used to pivot and gain access to the Commission’s network. It’s a missing detail that could be important in understanding how the cyberattack was carried out.
Why did it take nine months to go public?
The Commission confirmed that it reported the hack to the Information Commissioner’s Office within the statutory 72 hours from the time of initial discovery of a cyberattack as required by U.K. data protection law.
The big question is why it took the Electoral Commission nine months to tell the public — whose information was ultimately affected — with the cyberattack. The Commission declined to comment citing the ICO’s ongoing investigation. It’s also unclear why the nine-month delay was permitted by the ICO, which declined to comment when reached by TechCrunch.
The Commission said that it had to take “several steps” before it could make the incident public, such as expelling the hackers from its systems, assess the damage, and put in place new security measures to prevent a similar attack.
Those nine months of silence will likely face considerable scrutiny from those investigating the incident.