The United Kingdom’s Information Commissioner’s Office (ICO) revealed today that the Electoral Commission was breached in August 2021 because it failed to patch its on-premise Microsoft Exchange Server against ProxyShell vulnerabilities.
In March, the U.K. National Cyber Security Centre (NCSC) attributed the UK Electoral Commission breach to a Chinese state-backed threat actor.
Tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, these security flaws were chained to hack into the commission’s Exchange Server 2016 and deploy web shells, which allowed the attackers to gain persistence after installing web shells and backdoors.
While Microsoft released security updates in May 2021 that fixed the ProxyShell vulnerability chain, the commission failed to patch its systems promptly, exposing them to attacks.
The attack and the deployed malware were discovered on October 28, 2021, when an employee found that the Commission’s Exchange server was being used to send spam emails.
During the breach, the Chinese hackers gained access to the personal information of around 40 million people, including their names, home addresses, email addresses, and phone numbers.
While the commission downplayed the impact, saying “much of it is already in the public domain,” only voters’ names and addresses are publicly available in the U.K. open register.
“Our investigation found that the Electoral Commission did not have appropriate security measures in place to protect the personal information it held,” the ICO said.
“The Electoral Commission also did not have sufficient password policies in place at the time of the attack, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk.”
Slap on the wrist
Today, the ICO reprimanded the U.K. elections authority for failing to protect its systems and the personal information of millions of voters.
The ICO Deputy Commissioner Stephen Bonner said that if the commission “had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.”
However, Bonner added that the ICO has no reason to believe any personal information was misused since it was accessed in 2021 and has yet to find evidence that the breach has caused direct harm to impacted voters.
In August 2021, days after the U.K. Electoral Commission breach was disclosed, Shodan revealed that it was tracking tens of thousands of Exchange servers vulnerable to ProxyShell attacks.
The breach came after the U.K., the U.S., and its allies blamed China’s Ministry of State Security (MSS) for widespread attacks that hit tens of thousands of organizations worldwide in March 2021. MSS is linked to state-backed hacking groups tracked as APT40 and APT31.
