UK Electoral Commission data breach exposes 8 years of voter data

vtqhtr413 · Aug 8, 2023

The UK Electoral Commission disclosed a massive data breach exposing the personal information of anyone who registered to vote in the United Kingdom between 2014 and 2022. The disclosure comes ten months after the Commission first detected the breach and two years after the initial breach occurred, raising questions about why it took so long to report the incident to the public.

In the "public notification of cyber-attack," the Commission says they first detected the attack in October 2022 but since learned that threat actors breached their systems much earlier, in August 2021. As part of this cyberattack, the threat actors accessed the government agency's servers holding its email, control systems, and copies of electoral registers.

"They were able to access reference copies of the electoral registers, held by the Commission for research purposes and to enable permissibility checks on political donations," warns the data breach notification. "The registers held at the time of the cyber-attack include the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters."

vtqhtr413 · Aug 10, 2023

It’s looking more and more likely that a critical zero-day vulnerability that went unfixed for more than a month in Microsoft Exchange was the cause of one of the UK’s biggest hacks ever—the breach of the country’s Electoral Commission, which exposed data for as many as 40 million residents. Some online sleuthing independently done by TechCrunch reporter Zack Whittaker and researcher Kevin Beaumont suggests that a pair of critical vulnerabilities in Microsoft Exchange Server, which large organizations use to manage email accounts, was the cause.

Tracked as CVE-2022-41080 and CVE-2022-41082, the remote code execution chain came to light on September 30, 2022, after it had already been actively exploited for more than a month in attacks that installed malicious webshells on vulnerable servers. Microsoft issued guidance for mitigating the threat but didn’t patch the vulnerabilities until November 8, six weeks after confirming the existence of the actively exploited zero-day vulnerability chain.

In the weeks following the discovery of the zero-days, Beaumont reported that the mitigation measures Microsoft recommended could be bypassed. On Wednesday, he once again faulted Microsoft, first for providing faulty guidance and again for taking three months to release patches.