The UK’s Electoral Commission leaked personal details of 40 million voters due to unpatched vulnerabilities in their Microsoft Exchange Server, spanning registrations from 2014 to 2022. Hackers accessed the server through known ProxyShell vulnerabilities in August and October 2021, installing malware and sending spam before the issues were detected and partially mitigated.
The ICO investigation revealed a lack of effective patch management and inadequate password policies, leaving the system exposed despite available security updates from Microsoft months earlier. Despite recommendations from the National Cyber Security Centre for a broader investigation, the Electoral Commission deemed the incident isolated and did not pursue further immediate action, focusing instead on an upcoming cloud migration.
Following the breach, the Electoral Commission implemented stronger security measures, including multi-factor authentication and enhanced password policies, receiving only a reprimand from the ICO due to the public sector’s financial constraints on penalties.
Read ICO’s article for more information.