The UK’s election watchdog has been reprimanded over online security lapses that allowed the personal information of 40 million voters to be hacked.
The Information Commissioner’s Office said the Electoral Commission had not kept its servers up to date with the latest security updates before the data breach, which occurred in August 2021 but was not identified until October 2022.
Earlier this year, the Conservative government blamed the data breach on Chinese hackers and summoned Beijing’s ambassador to the UK to explain his country’s actions.
The US also accused Chinese hackers of targeting American businesses, officials, journalists and politicians, with the US and UK announcing joint sanctions. New Zealand also raised concerns with China about its involvement in an attack that targeted the country’s parliament in 2021.
The UK breach allegedly resulted in Beijing accessing the personal details of about 40 million voters held by the Electoral Commission.
Stephen Bonner, a deputy commissioner at the ICO, said in a statement on Tuesday: “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.
“By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers.”
Bonner added that despite the breach, there was “no reason to believe any personal data was misused and we have found no evidence that any direct harm has been caused”.
An Electoral Commission spokesperson said: “We regret that sufficient protections were not in place to prevent the cyber-attack on the commission.
“As the ICO has noted and welcomed, since the attack we have made changes to our approach, systems, and processes to strengthen the security and resilience of our systems and will continue to invest in this area.”
“Since the cyber-attack, security and data protection experts – including the ICO, National Cyber Security Centre and third-party specialists – have carefully examined the security measures we have put in place and these measures command their confidence.”
In 2023, the Electoral Commission said hackers had gained access to copies of electoral registers with the names and addresses of anyone registered to vote in the UK between 2014 and 2022.
The watchdog has now taken steps to improve its security, including by modernising its infrastructure and introducing password policy controls and multi-factor authentication for all users.
China has consistently denied accusations of espionage and wrongdoing. MPs demanded a tougher stance against Beijing after the government’s statement earlier this year.
At the time Catherine West, who is now minister for the Indo-Pacific, said she had warned China that a Labour government would act against interference in British democracy.
West travelled to Beijing in March for the first meeting between Labour and the Chinese government since Keir Starmer became party leader. She told the Guardian she had raised Labour’s concerns about Chinese interference in British democracy and national security, underlining that “this is something we will act on in government”.
Labour is committed to carrying out an audit of UK-China relations and announced a new cybersecurity and resilience bill in the king’s speech.
Peter Kyle, the science secretary, said this week that Britain was “desperately exposed” to cyber-threats and that national resilience had suffered “catastrophically” under the previous government.