Electoral Commission hack: Five things you need to know

The public statement only raises more questions

Tom Allen
clock • 5 min read
null

3. Why did it take so long for us to hear about it?

Technically, the Electoral Commission fulfilled its legal obligations under the UK GDPR. It told the ICO about the breach within 72 hours of discovery, and set about remediating it.

Article 34 of the GDPR says a data subject - that is, anyone affected by a breach - must be informed "without undue delay" if the breach "is likely to result in a high risk to the rights and freedoms of natural persons."

The Commission judged that the accessed personal data "does not pose a high risk to individuals." It makes it clear that it is notifying people now because of the data volume, rather than its sensitivity.

However, this is far from the norm. Even when personal data was not accessed, or was not judged to be of high risk, the de facto standard now is to tell data subjects at the same time as the regulator. Why the Electoral Commission failed to do so is unknown.

Mark Ridley, an experienced CIO and director at Ridley Industries, disagreed with the Commission's judgement of the data's sensitivity.

"If I had the information and was a sneaky hacker, I'd be thinking firstly that I could do lots of nice phishing with the electoral register data, pretending to be from a number of government agencies.

"Secondly, if it was all the mailboxes in all the past and current employees, there would be an absolute treasure trove of employee and external information to mine... That would mean anyone/everyone should be very suspicious of any email or physical mail they receive from the government for a while."

Dewi Price, CIO at Inizio Digital and formerly of institutions including Open University, Thames Water and Imperial College London, asked, "If they knew about the breach in October 2022, why has it taken 10 months to provide notification? The excuse that they 'had to remove the actors and their access" and "put additional security measures in place" points to a very cumbersome technology estate and worrying lack of responsiveness."

The breach timeline - dating to August 2021 but not being discovered until October 2022 - points to a less-than-annual security review. Questions must be asked: is this acceptable for central government?

You may also like
UK gym chain Total Fitness leaks personal images online

Hacking

Other leaked data includes ID documents, payment information and phone numbers

clock 18 June 2024 • 2 min read
Cyber gang shifts focus to SaaS apps

Security

‘Scattered Spider’ is targeting vSphere, Salesforce, Crowdstrike and more

clock 18 June 2024 • 2 min read
Regulators block Meta from training AI on user data

Artificial Intelligence

UK and EU authorities have told Meta to pause plans to train LLMs on Facebook and Instagram data

clock 17 June 2024 • 2 min read
Most read
02

Arm tries to block Copilot+ PC lauch

18 June 2024 • 2 min read
04

Cyber gang shifts focus to SaaS apps

18 June 2024 • 2 min read
05

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Hacking

UK gym chain Total Fitness leaks personal images online

UK gym chain Total Fitness leaks personal images online

Other leaked data includes ID documents, payment information and phone numbers

Vikki Davies
clock 18 June 2024 • 2 min read
Dutch NCSC warns of ongoing Chinese FortiGate attacks

Dutch NCSC warns of ongoing Chinese FortiGate attacks

About 14,000 firewalls breached before Fortinet knew about the flaw

clock 14 June 2024 • 3 min read
Pure Storage says attackers broke into a Snowflake environment

Pure Storage says attackers broke into a Snowflake environment

But no sensitive data was compromised

clock 13 June 2024 • 2 min read