The Information Commissioner's Office (ICO) has issued a reprimand to the Electoral Commission after hackers gained access to the information on the Electoral Register.
Hackers gained access to the Electoral Commission's server in August 2021 by impersonating a user account and exploiting known software vulnerabilities. They had access to the personal information of approximately 40 million people, including names and home addresses, until October 2022.
Following an investigation, the ICO concluded that the Electoral Commission had failed to ensure the security of personal data, as required by Article 5(1)(f) of the UK General Data Protection Regulation (GDPR). Patches for the vulnerabilities exploited by the hackers had been released prior to the incident, in April and May 2021, but the Electoral Commission did not have an appropriate patching regime.
The ICO also found that the Electoral Commission had infringed Article 32(1)(b) of the GDPR by not ensuring the ongoing confidentiality of its processing systems. Appropriate password management policies were not in place, and a number of user accounts, including one of the compromised accounts, had passwords identical or similar to those allocated when the accounts were created.
The ICO noted that these were basic measures that should be taken by any organisation processing personal data, regardless of its size or the level of risk involved.
Taking all the circumstances into account, including a number of remedial steps taken by the Electoral Commission following the incident, the ICO decided to issue a reprimand in respect of the infringements.
The ICO has a guide to data security on its website.