© 2025 CoolTechZone - Latest tech news,
product reviews, and analyses.

ICO gives Electoral Commission slap on the wrist for data breach


The Information Commissioner’s Office (ICO), the security and privacy watchdog in the United Kingdom, has issued a reprimand to the Electoral Commission after hackers were able to steal the personal information of approximately 40 million voters.

In August 2021, hackers successfully gained access to the Electoral Commission’s Microsoft Exchange Server by abusing a series of vulnerabilities known as ProxyShell, allowing them to remotely execute arbitrary code without authentication.

Once the hackers infiltrated the Electoral Commission’s Exchange Server, they installed a webshell in order to maintain access. Employees of the Electoral Commission discovered this hidden backdoor in October 2022, meaning the hackers had access to personal information that was kept on the Exchange Server for over a year.

At the time, the Microsoft Exchange Server contained personal information of registered eligible voters in the United Kingdom between 2014 and 2022. The hackers were able to copy full names, home addresses and copies of the Electoral Registers. The servers were accessed multiple times without the Electoral Commission’s knowledge.

ICO launched an investigation into the matter and found that the Electoral Commission didn’t have appropriate security measures in place to protect the private information it kept. For example, the updates to fix the ProxyShell vulnerabilities -which were released in April and May 2021- weren’t installed.

In addition, the Electoral Commission didn’t have sufficient password policies in place at the time of the attack.

“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers,” Deputy Commissioner at ICO Stephen Bonner says in a statement.

After the attack the Electoral Commission took numerous steps to improve its security, including a plan to modernize its infrastructure, password policy controls and multi-factor authentication for all users.

Bonner stresses that this incident should serve as a reminder to all organizations to proactively take preventative measures to secure their systems. “Do you know if your organization has installed the latest security updates? If not, then you jeopardize people's personal information and risk enforcement action, including fines,” he adds.


Leave a Reply

Your email address will not be published. Required fields are marked