This is not a political story but a cyber security story.
Last year it was revealed that the UK’s Electoral Commission – a body charged with maintaining, credibility and openness in the UK’s voting system – had been hacked, about 10 months prior to them making a statement about it. They loss control of a vast amount of personal data belonging to us.
Now a year later we get a report from the Information Commissioners Office (ICO) reprimanding the Electoral Commission for “poor security”. No sh*t Sherlock. (I added the last bit.)
Poor security let hackers access 40 million voters’ details – BBC News
But do not worry – the Electoral Commission has it covered:
“the Electoral Commission said, it regretted that sufficient protections were not in place to prevent the cyber-attack.” (BBC)
The plus side of this event – if there is one – is that no evidence of misuse of the stolen data had been by the investigating team. Of course this does not mean misuse has not happened, just that the ICO and other investigators have not found any!
Your Takeaways
From the late declaration of the incident, to the statements about regret and change, this does not look like the message of this incident was well handled. Make sure your incident response plan has a section on communications.
For your second takeaway I am going to quote the BBC article again:
“Software updates which fixed these security holes had been available for months before the attack, but the Electoral Commission had failed to apply them.” (BBC)
All the Electoral Commission had to do was read Smart Thinking, to know this is a fundamental cyber security mistake. Who did they have advising them on cyber security?
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
For more information on what an incident response plan should look like, have a look at this article: