The UK’s elections watchdog says it’s taken three years and at least a quarter of a million pounds to fully recover from a hack that saw the private details of 40m voters accessed by Chinese cyber spies.
Last year, the Electoral Commission was publicly reprimanded for a litany of security failures that allowed hacking groups to spy undetected, after breaking into databases and email systems.
In the first interview about the hack, the commission’s new boss admits huge mistakes were made, but says the organisation is now secure.
“The whole thing was an enormous shock and basically it’s taken us quite a few years to recover from it,” says chief executive Vijay Rangarajan.
“The culture here has changed significantly now partly as a result of this. It’s a very painful way to learn.”
The Electoral Commission oversees elections and regulates political finance in the UK to ensure the integrity of the democratic process.
Mr Rangarajan was not CEO when the hack happened but says that colleagues described the chaos of discovering the hackers as “feeling like you’d been burgled whilst still inside the house”.
The hackers first breach was in August 2021, using a security flaw in a popular software programme called Microsoft Exchange. The digital hole was being exploited by suspected Chinese spies around the world and organisations were being warned to download a software patch to protect themselves. Despite months of warnings, the commission failed to do so.
Hackers had access to the full open electoral register containing the names and addresses of all 40m UK voters.
They could also read every email sent and received at the commission.
The criminals weren’t found until October 2022 during an password system upgrade.
Not keeping software up to date was one of several basic security mistakes made including having bad password practices, failing a basic government-run security audit and ignoring advice from the National Cyber Security Centre.
The Information Commissioner’s office issued a formal reprimand to the Electoral Commission but if equivalent mistakes were made in a private sector breach it would likely have led to a large fine.
Mr Rangarajan says that as well as the reprimand, stakeholders including in parliament were shocked by the complacency and asked “what were you doing?”
No individual person has been publicly reprimanded for the security lapses.
There were six by-elections during the period that hackers were inside the commission’s IT networks but there is no evidence that anything was affected by it.
However the commission says it still doesn’t know what the hackers were doing or what information they may have downloaded.
Mr Rangarajan admits that the hackers could have caused major disruption if they have installed malicious software or hampered communications during an election.
“All of this could have caused us amazing problems. It was a dangerous thing to have happened,” he said.
Chinese spies were blamed for the attack and received sanctions from British and US authorities. China has always denied any involvement.
Mr Rangarajan said staff at the time didn’t seem to think the commission would be targeted by hackers. This was despite high profile elections interference cases like the 2016 US presidential election hack of Hilary Clinton’s emails.
“I don’t think everyone realised quite how much democratic systems and electoral systems were targets. We tended to be quite comfortable in the way we runs things. We now have to be really up to speed with the threats,” he said.
The Electoral Commission was given grants of more then £250,000 to recover from the breach and now says it is spending significantly more of its budget on cyber security.
It has now passed the National Cyber Security Centre’s Cyber Essentials certification – the audit that an insider told the BBC it had failed in the build up to the hack. It has also achieved Cyber Essentials Plus – the highest level of certification from the scheme.
