ICO (UK) - ICO v The Electoral Commission
| ICO - ICO v The Electoral Commission | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1)(b) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | Electoral Commission he Electoral Commission |
| National Case Number/Name: | ICO v The Electoral Commission |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | ICO site (in EN) |
| Initial Contributor: | Sainey Belle |
The ICO issued a reprimand to the UK Electoral Commission for a data breach affecting 40 million data subjects due to access by an unknown threat actor and for failing to comply with Article 5(1)(f) and Article 32(1)(b) GDPR.
English Summary
Facts
The Electoral Commission (“the controller”) servers were accessed by an unknown threat actor on 3 separate occasions. As a result of the incident, the personal data of individuals in the electoral register were affected which contained the names and home addresses of approximately 40,000,000 data subjects.
During the course of this incident, three separate clusters of activity were identified: 1. 24 August 2021, hacker gained access to an on-premise Microsoft exchange server using a security flaw known as the ProxyShell vulnerability chain. The hackers then pretended to be a legitimate user, which allowed them to install hidden programs (web shells) on the server. These programs were used again on 16 September 2021, 13 June 2022 and 02 August 2022. Beginning 14 March 2022, the hacker also installed hidden access points (backdoors) on the system. 2. On 14 March 2022, another hacker exploited the vulnerabilities in the ProxyShell. It could not be determined at this point if the hacker retained the previous access or re-compromised the system again. 3. On 28 October 2021, an employee reported that spam emails were being sent from the controllers server but they were not in the individuals sent items folder on Outlook.
Following the third incident, the server was shut down and scrubbed before being restarted.
Holding
The ICO held that, on a basic level, the controller did not have an appropriate patching regime at the time of the incident, which led to a number of vulnerabilities being present on their exchange server. In addition, a report produced during the incident highlighted a further 8 vulnerabilities which could have been exploited by a hacker. This represented a lack of compliance with Article 5(1)(f) GDPR.
Contrary to Article 32(1)(b) GDPR, it was also held the controller did not have an appropriate password management policy in place. It’s acceptable use policy only referenced the notion that passwords should not be revealed or written down. During an audit, it was discovered that 1 of the user accounts were still utilised a password they were provided during account allocation. 178 users utilised passwords that were identical or similar to the passwords provided by the service desk upon creation or password reset. There were an additional 33 deactivated accounts with similar passwords.
In light of the incident, the controller implemented the following steps: - Implementation of a multi-factor authentication for all users; - New password policy control; - A solution which supports threat and vulnerability programs; - Implementation of a system/software which monitors all servers, firewalls and internet traffic; - Implemented a technology modernisation plan and onboarded an individual/company to provide. Managed infrastructure support service.
These remedial steps were considered and welcomed by the ICO.
In light of the above, the ICO decided to issue a reprimand.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
The ICO exists to empower you through information.
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
T. 0303 123 1113
ico.org.uk
DATA PROTECTION ACT 2018 AND UK GENERAL DATA PROTECTION
REGULATION
REPRIMAND
To: The Electoral Commission
Of: 3 Bunhill Row, London, EC1Y 8YZ
The Information Commissioner (the Commissioner) issues a reprimand to The
Electoral Commission in accordance with Article 58(2)(b) of the UK General
Data Protection Regulation in respect of certain infringements of the UK GDPR.
1. Summary of Incident
1.1 The Electoral Commission is the independent body which oversees elections
and regulates political finance in the UK. They also work to promote public
confidence in the democratic process and ensure its integrity.
1.2 It is the Commissioner’s understanding that unknown Threat Actors gained
unauthorised access to The Electoral Commission’s on-premise Microsoft
Exchange Server ( ) via the ProxyShell vulnerability chain.
1.3 The personal data affected by this incident relates mainly to the Electoral
Register, which contains the names and home addresses for approximately
40,000,000 data subjects.
1.4 During the course of this incident, three separate clusters of Threat Actor
activity were identified. investigated Clusters one and two, and
investigated Cluster three. A summary of each Cluster is below.
2. Cluster 1
2.1 On 24 August 2021, an unknown Threat Actor gained access to an on-
premise Microsoft Exchange Server 2016 via the ProxyShell vulnerability chain.
The vulnerability chain consisted of the following vulnerabilities: CVE-2021-
31207, CVE-2021-34523 and CVE-2021-34473. A user account was
impersonated during the exploitation of these vulnerabilities, which led to web
shells being created on the system.
2.2 One of these web shells ( ) persisted on the system and
was accessed on 16 September 2021, 13 June 2022 and 02 August 2022. FromICO.
InformatioiCo'miss onersOffice
14 March 2022, backdoors in the form of were also installed on
the system.
3. Cluster 2
3.1 On 03 October 2021, a second Threat Actor successfully exploited the
ProxyShell vulnerabilities and deployed a web shell to the server. This web shell
was quarantined and deleted by
3.2 On 14 March 2022, a scheduled task was created on server
were unable to determine whether the Threat Actor retained
access to the Exchange Server or if they re-compromised it in March 2022. The
scheduled task was configured to download and execute a
payload, the IP address for these actions was the same as the one used in
October 2021.
3.3 The last observed threat activity occurred via a connection from a host to
did not identify any follow-on activity associated
malware.
4. Cluster 3
4.1 On 28 October 2021, an alert was raised when an employee reported that
spam emails were being sent from The Electoral Commission's Exchange
Server. Emails from the sent items queue in Exchange Server were being sent
from the server, but were not in the individual's visible sent items in Outlook.A
scan was carried out on the on-premise Exchange Server
which showed that it had been injected with malware .
)
4.2 Following this, the Exchange Server was shut down and scrubbed using
, before being restarted. A new scan showed that the virus
had been removed. At this stage,- were engaged to support initial
remediation and carry out a penetration test.
4.3 The Electoral Commission also advised the National Cyber Security Centre
(NCSC) about this incident. The NCSC raised concerns about the incident being
similar to activity which was discussed in a Microsoft biog in March 2021. The
NCSC strongly recommended that a wider investigation into The Electoral
Commission's IT systems should be carried out by a CIR accredited company.
At the time, The Electoral Commission considered that the incident was isolated
and as they were moving closer to migration to the Cloud, remedial action withICO.
InformatioiCo'miss onersOffice
the old servers was limited. The Electoral Commission stated that they were
aware of the problems with out-of-date infrastructure.
5. The reprimand
5.1 The Commissioner has decided to issue a reprimand to The Electoral
Commission in respect of the following alleged infringements of the UK GDPR:
• Article 5(1)(f) which states that personal data shall be "Processed in a
manner that ensures appropriate security of the personal data, including
protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or
organisational measures"
Article 32(l)(b) which states "Taking into account the state of the art, the
costs of implementation and the nature, scope, context and purposes of
processing as well as the risk of varying likelihood and severity for the
rights and freedoms of natural persons, the controller and the processor
shall implement appropriate technical and organisational measures to
ensure a level of security appropriate to the risk, including inter alia as
appropriate:
b. the ability to ensure the ongoing confidentiality, integrity, availability
and resilience of processing systems and services."
5.2 The reasons for the Commissioner's findings are set out below.
5.3 Our investigation found infringements in relation to the security
requirements of the UK GDPR and these are set out below.
6. Article 5 (1) (f)
• The Electoral Commission were not ensuring the security of personal data
as per Article 5(1)(f).
6.1 The Electoral Commission did not have an appropriate patching regime in
place at the time of the incident. This led to a number of vulnerabilities being
present on their on-premise Exchange Server. The ProxyShell vulnerabilityICO.
InformatioiCo'miss onersOffice
chain was utilised on several occasions during this incident and the patches for
these vulnerabilities were released in April and May 2021.
6.2 Furthermore, a report produced during this incident highlighted a further
eight vulnerabilities which were also present on the servers. Although not
utilised on this occasion, any one of them could have been exploited by a
Threat Actor whilst they existed on the relevant systems.
6.3 The NCSC and NIST have both produced extensive guidance on patching
which highlight the importance of having an appropriate patching plan in place
as well as the actions organisations can take.
6.4 This failing is a basic measure that we would expect to see implemented in
any organisation processing personal data - regardless of potential severity of
risk or size of organisation.
7. Article 32 (1) (b)
• The Electoral Commission were not ensuring the ongoing confidentiality of
its processing systems as per Article 32(1)(b).
7.1 The Electoral Commission did not have appropriate password management
policies in place at the time of the incident. During the Electoral Commission's
investigation, they discovered that one of the compromised accounts was still
using a password which was allocated to the account upon creation. Following
this, were instructed to perform an audit of user passwords in The
Electoral Commission's Active Directory.
7.2 were able to rapidly crack 178 active accounts using
passwords identical or similar to the ones provided to users by the Service Desk
upon account creation or password reset. An additional 33 deactivated accounts
with similar password were also found. Following their audit,
stated that this practice of reusing passwords makes The Electoral
Commission's passwords highly susceptible to password guessing.
7.3 The Electoral Commission did not have a dedicated password management
policy in place at the time of the incident. The policy (Acceptable Use) which
was in place did not contain any specific password management guidance, the only
reference to passwords stated 'do not reveal or write down passwords'.
4 5
7.4 The NCSC and NIST have produced guidance on passwords which
1Description ofthe security update for Microsoft Exchange Server 2019. 2016. and 2013: April 13.
2021 {KB5001779) - Microsoft Support
2The problems with patching - NCSC.GOV.UK
3Guide to Enterprise Patch Management Technologies(nist.gov)
4 password policy infographic.pdf
5NIST Special Publication 800-63B •
ICO.
Informationio'miss onersOffice
highlight the importance of staff training as well as password length and other
mitigations like rate limiting.
7.5 This failing is a basic measure that we would expect to see implemented in
any organisation processing personal data - regardless of potential severity of
risk or size of organisation.
8. Remedial steps taken by The Electoral Commission
8.1 The Commissioner has also considered and welcomes the remedial steps
taken by The Electoral Commission in the light of this incident. In particular:
• Implemented a Technology Modernisation Plan;
• Onboarded to provide a Managed Infrastructure Support Service;
• Implemented which monitors all servers,
firewalls and i
• Implemented solution which supports Threat and
Vulnerability programs;
• Implemented password policy controls within their Active Directory;
• Implemented Multi-factor authentication (MFA) for all users.
9. Decision to issue a reprimand
9.1 Taking into account the circumstances of this case, including the remedial
steps, the Commissioner has decided to issue a reprimand to The Electoral
Commission in relation to the infringements of Articles S(l)(f) and 32(1)(b) of
6
the UK GDPR set out above.
6
The Electoral Commission has had an opportunity to make representations to the Commissioner in
responseto the Notice of Intent regarding this reprimand. The Electoral Commission accepted the
Notice ofIntent and the Commissioner's findings.
