Hacked Electoral Commission failed Cyber Essentials audit

The UK’s Electoral Commission has admitted that it failed a National Cyber Security Centre (NCSC) Cyber Essentials audit at around the same time as a threat actor breached its systems and stole data on millions of British voters in a year-long intrusion that began in August 2021.

According to the BBC, which was alerted to the situation by an internal whistleblower, the elections watchdog received an automatic fail after its Cyber Essentials assessors found it to be non-compliant with the scheme.

Among some of the alleged failings found by auditors were staff laptops and smartphones running outdated systems and software, including Windows 10 Enterprise, which no longer receives security updates and will reach end of support in a little over two years.

The Electoral Commission, which did not take a follow-up test in 2022 so remains uncertified, said that none of the issues over which it failed the Cyber Essentials audit were related to the cyber attack – which has been linked to a breached email server – in any way.

“We are always working to improve our cyber security and systems. We draw on the expertise of the National Cyber Security Centre – as many public bodies do – to continue to develop and progress protections against cyber threats,” said a spokesperson for the Electoral Commission.

“We regularly seek guidance and feedback on our systems to deal with the continued risk of cyber threats as they evolve and take different forms. We welcome these learnings and act on them.”

The government-backed Cyber Essentials programme, which is overseen by the NCSC and its partner the ISAME consortium, is designed to establish a baseline of cyber security competency within organisations.

It is supposed to give organisations a clear picture of where they stand vis-à-vis cyber security, and act as reassurance for customers and new business partners that organisations are secured to a minimum standard, which appropriate measures in place.

Cyber Essentials certification is not for everyone, but it is highly recommended for most organisations, and obtaining certification is mandatory for any holder of a government contract that involves handling personal data or providing certain IT products and services.

Rubrik EMEA CISO Richard Cassidy said that failing to pass a Cyber Essentials audit was somewhat akin to leaving your doors and windows unlocked in a bad neighbourhood.

“A Cyber Essentials audit is one of the simplest industry frameworks designed to uphold an organisation's cyber resilience. These frameworks exist to ensure the basics of digital hygiene are adhered to and failing them due to out-of-date systems and devices should have well and truly raised the alarm,” he said.

“A breach is always the culmination of a series of lapses: technology that isn’t used or configured properly, or failure to deploy the right technology at all, processes that are poorly defined or aren't adhered to, and people who aren't sufficiently educated or empowered about best practices. It’s a chain, and every link matters. When one fails, the integrity of the entire chain is compromised. A Cyber Essentials audit helps to ensure the integrity of the entire chain is upheld,” said Cassidy.