NEW: We have reprimanded the Electoral Commission after hackers gained access to servers that contained the personal information of approximately 40 million people. Read on for more details. In August 2021, hackers successfully accessed their server by impersonating a user account and exploiting known software vulnerabilities in the system that had not been secured. Until October 2022 – over a year later – the attackers had access to the personal information held on the Electoral Register, including names and home addresses. The Electoral Commission did not have appropriate security measures in place to protect the personal information it held: ➡️ servers weren’t kept up to date with the latest security updates ➡️ many accounts still used passwords identical or similar to the ones originally allocated by the service desk Read more about our action: https://lnkd.in/dPR_icrb Stephen Bonner, Deputy Commissioner at the ICO, said: “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands. “This action should serve as a reminder to all organisations that you must take proactive and preventative measures to ensure your systems are secure and up-to-date. Otherwise, you put people’s personal information at risk. “I know the headline figures of 40 million people affected caused considerable public alarm when news of this breach emerged last year. I want to reassure the public that while an unacceptably high number of people were impacted, we have no reason to believe any personal data was misused and we have found no evidence that any direct harm has been caused by this breach. The Electoral Commission has now taken the necessary steps to improve its security.” We have more security guidance for all organisations on our website: https://lnkd.in/eVSbmnRT
Stephen Bonner wrote: "I want to reassure the public that while an unacceptably high number of people were impacted". An unacceptably high number of people? 40 million of 45 million registrations leaked at the time. It doesn't get much worse than that.
Until Information Commissioner's Office starts taking real action, and imposing fines and penalties for breaches, organisations will continue to have a laissez-faire attitude to compliance. A stern telling off for serious breaches such as this is simply laughable 😡
And yet voter registration data is available to all at the local library and can also be purchased should anyone want it. I can imagine a lot of the public sector is woeful when it comes to DP and security issues and hope ICO are proactive in preventative education.
"found no evidence" is not the same as it didn't happen! The whole point is the people who got the data are not to be trusted, so we'll never know how many scam and fraud attempts or successes were made using this data.
Why don't we just introduce a new act to replace the UK GDPR. I will even write it for them for free...here it is .... "Do nothing"
Lots of people dunk on this decision, my prior experience working with Stephen suggests that this was the “best” outcome available in the context of current legislation, details of the incident and actions by EC. Separately, it makes little sense for government type organisations to be fined by the government because the public suffers. What should happen probably is individual accountability at senior level at those public sector organisations.
Data Pragmatist, practical + theatrical UK GDPR & FOI trainer & consultant. Not GDPR certified (no-one is). Available for hire online or in-person. Saving the world one post at a time.
1moIt doesn't get much weaker than this.