The Electoral Commission has been reprimanded over cybersecurity lapses that led to the personal data of 40 million people being hacked.
The Information Commissioner’s Office (ICO) has found cybercriminals were able to access data held on the electoral register after they exploited software vulnerabilities, the electoral watchdog had known about for months.
The ICO found the electoral body had failed to install the latest security updates at the time of the attack, which occurred in 2021 but was not identified until late 2022.
It also revealed the watchdog had inadequate passwords in place at the time of the incident, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk.
Stephen Bonner, deputy commissioner at the ICO, said: “If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly,…
