UK Electoral Roll Targeted in 'hostile' CyberAttack

chrismscotland · 8 Aug 2023 at 17:56

Haven't seen this anywhere else yet but the Electoral Commission admitting that they were subject to a "complex" cyberattack in which its systems were accessed by an unnamed "hostile actor".

Names, Addresses, Email addresses and other info held on electoral registers was compromised.

It was first identified in October 2022...... and then an investigation found the systems had first been accessed in August 2021!!

Brilliant, job well done by the Electoral Commission, I hope it focuses some attention and funding to securing information around our elections a bit more urgently!

UK election watchdog targeted in ‘hostile’ cyberattack

The Electoral Commission has not said who was behind the attack, which accessed voters’ names and addresses.

www.politico.eu

Cyber-attack on UK's electoral registers revealed

The Electoral Commission warns the public to be vigilant for unauthorised use of their personal data.

www.bbc.co.uk

Murphy · 8 Aug 2023 at 19:14

Nice that they let people know quickly, i guess this explains why I've been getting 'we couldn't deliver your parcel' emails for the last few months.

Also if the government say they need backdoors into end-to-end encryption or for people to verify their age by using a central database of credit card details we can now tell them to stick it where the sun don't shine because a hack/leak of such sensitive data is no longer a theoretical possibility.

throwaway4372 · 8 Aug 2023 at 19:20

This bit winds me up:

According to the risk assessment used by the Information Commissioner’s Office to assess the harm of data breeches, the personal data held on the electoral registers – typically name and address – does not in itself present a high risk to individuals.

Excuse me? This literally lets any creep show up at your house. It's about as high risk as it gets. Whoever wrote that needs firing.

Edit: I also want compensation. They have put me at risk. There's nothing I can do about it.

jpaul · 8 Aug 2023 at 19:28

Their excuse for not revealing breech faster is that they were afraid on what the attackers might do ... or moreover ? they thought they'd try and understand more about attacker,
the government obviously agreed with great reveal date, too

As said probably representative of security in the new NHS database , and probably gives Trump more credibility in accusations on interference in their electronic voting results.

A2Z · 8 Aug 2023 at 19:29

Guess it's a good thing im purposely not on any electoral role. Will only add myself before GE.

Quartz · 8 Aug 2023 at 19:32

Wow. Imagine some malefactor sending fake postal voting forms to supporters of one party.

brendy · 8 Aug 2023 at 19:35

I guess we can just quit the GDPR crap if agencies can't even get it right?

Lightnix · 8 Aug 2023 at 19:37

Given our stupid electoral system it's hardly worth being registered to begin with. Having the data stolen as well is just the icing on the cake.

throwaway4372 · 8 Aug 2023 at 20:02

Quartz said:
Wow. Imagine some malefactor sending fake postal voting forms to supporters of one party.

I would expect the legit postal forms to have a super secret barcode or something to prevent that. Am I wrong?

dlockers · 8 Aug 2023 at 20:17

throwaway4372 said:
This bit winds me up:

Excuse me? This literally lets any creep show up at your house. It's about as high risk as it gets. Whoever wrote that needs firing.

Edit: I also want compensation. They have put me at risk. There's nothing I can do about it.

Everyone can move one house to the right. Problem solved!

Lightnix · 8 Aug 2023 at 20:21

Classic Blue Theme said:
Everyone can move one house to the right. Problem solved!

Well the electoral commission can pay for the movers, I'm not shifting all of this crap.

throwaway4372 · 8 Aug 2023 at 20:22

Classic Blue Theme said:
Everyone can move one house to the right. Problem solved!

The cost of moving house is the minimum compensation I'm thinking about. Moving is the only thing you can do to protect yourself.

dlockers · 8 Aug 2023 at 20:23

throwaway4372 said:
The cost of moving house is the minimum compensation I'm thinking about. Moving is the only thing you can do to protect yourself.

Are you responsible for the data breach because you wanted to move house?

Minusorange · 8 Aug 2023 at 20:27

It's interesting they don't say who the hackers were

Quartz · 8 Aug 2023 at 20:27

throwaway4372 said:
I would expect the legit postal forms to have a super secret barcode or something to prevent that. Am I wrong?

How would the voter know? Voter sends in what they think is a valid vote, it gets discarded as invalid and the voter is in trouble and by the time it's all sorted out the election is over.

dlockers · 8 Aug 2023 at 20:43

Minusorange said:
It's interesting they don't say who the hackers were

They were seen roller skating away, so I think it is pretty obvious tbh.

Tony Edwards · 8 Aug 2023 at 21:10

Quartz said:
How would the voter know? Voter sends in what they think is a valid vote, it gets discarded as invalid and the voter is in trouble and by the time it's all sorted out the election is over.

It would be pretty easy to work out as they would have been sent two postal votes. The real one and a fake one.

cyber69 · 9 Aug 2023 at 11:22

I wonder which outsourced IT provider was involved?

Hagar · 9 Aug 2023 at 12:16

The electoral commission is independant of government reporting to the speakers committee.

About us

www.electoralcommission.org.uk

jpaul · 9 Aug 2023 at 12:35

cyber69 said:
I wonder which outsourced IT provider was involved?

presumably not Rishi's wifes one

It discloses that Infosys has signed contracts to provide services and supplies to multiple government clients. Its most recent contract was awarded last December, and its earliest in March 2015, both with Transport for London – for whom it was most recently contracted to supply £1,760,500 worth of “consulting, software development, internet and support.”

In 2015, it managed to secure government-related contracts worth £98m with 15 partner companies. Other contracts include two with the Home Office worth £10.8m – including a 2017-2020 contract, worth £7.4m, to supply “quality assurance and infrastructure testing.”

It has signed six contracts with the Care Quality Commission totalling £20.3m, two contracts with the Medicines and Healthcare Products Regulatory Agency worth £5.35m, been a party to a £10m contract to provide Westminster Council with its digital road map and supplied computer goods and software to Nottingham University valued at £650,600. It has also worked with the London Borough of Merton and East Sussex County Council in contracts worth £500,000 and £25m, respectively.

Maybe they already made other companies using similar software/firewalls aware of the issue ..
it's like Apple&co bounty program where they patch the software before revealing details

they could disclose if phishing was the first point of contact