The Epic Fail of the UK Voter Register Hack

How 40 Million Records Were Up for Grabs

3 min readAug 5, 2024

Imagine leaving your front door wide open, then wondering how burglars managed to take everything. That’s pretty much what happened with the U.K. Electoral Commission, who got hit with a cyberattack that exposed voter records of 40 million people. And guess what? It was completely avoidable.

A Gentle Scolding for a Massive Blunder

Instead of facing the wrath of a hefty fine, the Electoral Commission got a polite finger-wagging from the ICO. You’d think letting 40 million people’s data hang out there might deserve more than a stern talking-to, right? Not this time.

The ICO decided to go with a “revised approach” to handling breaches by public bodies, meaning no big fines unless there’s “demonstrable harm.” So, even though they admitted the Commission could’ve done better, they decided it wasn’t worth emptying their wallets. Talk about getting off easy!

The ICO’s report basically reads like a how-not-to guide for data protection. The Electoral Commission managed to ignore basic security steps like patching their systems and using strong passwords. They might as well have used “123456” as their password!!!!

Hackers waltzed in through vulnerabilities called ProxyShell, which were well-known and already patched by Microsoft. But, surprise! The Electoral Commission didn’t bother with those updates.

If only they were as quick with their security patches as they were with the excuses.

“We Could Have Prevented This… Oops!”

In a rare moment of honesty, the Electoral Commission admitted (yes, they did!!) they didn’t have the right protections in place to stop the cyberattack. Thanks, Captain Obvious.

They discovered the breach in October 2022, but the hackers had been poking around since August 2021. That’s more than a year of the Commission being blissfully unaware ☺️ that their systems were like a sieve.

“Not Our Fault” Debate

Even though the stolen data included names, addresses, phone numbers, and more, the ICO didn’t see any direct harm done. So, no need to punish anyone, right? They chalked it up to luck that the data wasn’t misused — at least not in any way they could find.

In a delightful twist, the U.K. government pointed fingers at China for the breach. Naturally, China denied it, because why would they own up to a juicy espionage story?

After all this, the Electoral Commission finally decided to step up its game with some overdue security measures. They’re modernizing their infrastructure and rolling out multi-factor authentication. It’s like locking the barn door after the horse has bolted.

So, what’s the takeaway? If you’re a public sector body, make sure you don’t get caught with your cyber pants down. But if you do, don’t worry too much. As long as there’s no direct harm, you might just get away with a slap on the wrist — just like the Electoral Commission.

Maybe, just maybe, the next time someone leaves the data vault open, they’ll remember to lock it up tight.

About the Author :

Yash Bansal is an Associate Principal Engineer at RedBus. More info about him can be found on his LinkedIn profile.