The Electoral Commission has admitted it failed a cybersecurity test in the same year hackers successfully attacked the organisation.
The UK’s elections watchdog said it did not pass a Cyber Essentials test, a voluntary government-backed scheme that assesses an organisation’s readiness against cyber-attacks.
The commission said it failed the test in 2021, when it was breached by an unknown assailant.
The organisation revealed last month that it had been the subject of a “complex cyber-attack” that resulted in hackers accessing reference copies of the electoral registers, equating to the names and addresses of 40 million people. It said the attack started in August 2021 but was not detected until October 2022.
The commission said it did not pass the test due to two issues unrelated to the hack: an earlier version of Windows software on some laptops and a dated version of staff mobiles. It said those problems were not linked to the attack, which affected the organisation’s email servers.
“We are always working to improve our cybersecurity and systems. We draw on the expertise of the National Cyber Security Centre – as many public bodies do – to continue to develop and progress protections against cyber-threats. We regularly seek guidance and feedback on our systems to deal with the continued risk of cyber-threats as they evolve and take different forms. We welcome these learnings and act on them,” said an Electoral Commission spokesperson.
Sign up to First Edition
Our morning email breaks down the key stories of the day, telling you what’s happening and why it matters
The Cyber Essentials website states that the scheme is important because vulnerability to basic attacks marks organisations out as targets for “more in-depth unwanted attention from cyber criminals and others”.
This content was originally published here.