Electoral Commission hack: Five things you need to know

The public statement only raises more questions

Tom Allen
clock • 5 min read
null

3. Why did it take so long for us to hear about it?

Technically, the Electoral Commission fulfilled its legal obligations under the UK GDPR. It told the ICO about the breach within 72 hours of discovery, and set about remediating it.

Article 34 of the GDPR says a data subject - that is, anyone affected by a breach - must be informed "without undue delay" if the breach "is likely to result in a high risk to the rights and freedoms of natural persons."

The Commission judged that the accessed personal data "does not pose a high risk to individuals." It makes it clear that it is notifying people now because of the data volume, rather than its sensitivity.

However, this is far from the norm. Even when personal data was not accessed, or was not judged to be of high risk, the de facto standard now is to tell data subjects at the same time as the regulator. Why the Electoral Commission failed to do so is unknown.

Mark Ridley, an experienced CIO and director at Ridley Industries, disagreed with the Commission's judgement of the data's sensitivity.

"If I had the information and was a sneaky hacker, I'd be thinking firstly that I could do lots of nice phishing with the electoral register data, pretending to be from a number of government agencies.

"Secondly, if it was all the mailboxes in all the past and current employees, there would be an absolute treasure trove of employee and external information to mine... That would mean anyone/everyone should be very suspicious of any email or physical mail they receive from the government for a while."

Dewi Price, CIO at Inizio Digital and formerly of institutions including Open University, Thames Water and Imperial College London, asked, "If they knew about the breach in October 2022, why has it taken 10 months to provide notification? The excuse that they 'had to remove the actors and their access" and "put additional security measures in place" points to a very cumbersome technology estate and worrying lack of responsiveness."

The breach timeline - dating to August 2021 but not being discovered until October 2022 - points to a less-than-annual security review. Questions must be asked: is this acceptable for central government?

Related Topics

You may also like
Russian criminals use Lunar malware to breach European government agency

Threats and Risks

Russian criminals use Lunar malware to breach European government agency

Attackers thought to be part of Russia's FSB

clock 17 May 2024 • 2 min read
NCSC CTO: UK tech sector not incentivising companies to build secure software

Security Technology

NCSC CTO: UK tech sector not incentivising companies to build secure software

Calls for market reform to usher in secure future tech

clock 17 May 2024 • 2 min read
Tories self-refer to ICO over data breach

Security

Tories self-refer to ICO over data breach

Revealed hundreds of personal email addresses by forgetting to BCC

clock 15 May 2024 • 2 min read
Tom Allen
Author spotlight

Tom Allen

View profile
More from Tom Allen

Asian Tech Roundup: Pressure grows in US-China trade war

Russian criminals use Lunar malware to breach European government agency

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

Get the newsletter

More on Hacking

MoD hack: IT contractor concealed major hack for months
Hacking

MoD hack: IT contractor concealed major hack for months

SSCL was reportedly awarded a contract worth over £500,000 in April, despite the breach occurring weeks earlier

Dev Kundaliya
clock 13 May 2024 • 2 min read
Dell confirms data breach affecting 49m people
Hacking

Dell confirms data breach affecting 49m people

No financial info stolen, but names and addresses were leaked

Dev Kundaliya
clock 10 May 2024 • 2 min read
LockBit leader unmasked
Hacking

LockBit leader unmasked

Named as Russian national Dmitry Khoroshev

Dev Kundaliya
clock 08 May 2024 • 3 min read