Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Electoral Commission. Show all posts

Unsolicited 'Offensive' Political Emails Stir Data Privacy Concerns in East London

 


As a result of an online mailing list that has been set up without any consent of the Tower Hamlets residents, content that is anti-Israel, anti-Labour and pro-Workers Party of Britain has been distributed without their knowing. In recent weeks, a Jewish woman known as Miriam Sadique had operated at least five newsletters using the Substacks platform. These newsletters had been called 'Muslims Today', 'East London Updates', 'East London', 'London Today', and 'Tower Hamlets Today' within the last few weeks. 

It should be noted that the majority of the Islamic websites have been lost, but 'Muslims Today' is still active. Some residents of Tower Hamlets have expressed concern over how their information has been shared by political newsletters that sent them unsolicited emails before and after the general election. It has been reported that within the last week, the Local Democracy Reporting Service (LDRS) has viewed screenshots from more than 600 emails that were sent to residents of Tower Hamlets and people who lived in the borough between July 3 and July 10 from several sources. 

There were different emails sent from multiple substacks from a single author called Mirriam Sadique in all of the emails judged by the LDRS. These emails were all promoting the Workers Party of Britain (WPB) and criticizing the opposition Labour Party. There is no information available about whether 'Mirriam Sadique' is a false profile, or an alias, with this name. It has been made known to the LDRS that it has contacted WPB for a comment about the emails and the name 'Mirriam Sadique' but as of the time of publication, the LDRS has not been able to acquire a response from them. 

As well as contacting the Electoral Commission, the Information Commissioner's Office (ICO) has also been contacted to get their views on this matter. Also, several residents have raised concerns about the emails they have been receiving from the local paper 'Roman Road LDN' in the days leading up to and after the general election. People received an unsolicited email in the run-up to the general election, which promoted George Galloway as the Workers Party of Britain (WPB) leader and encouraged people to register for the party. 

Based on the metadata associated with each newsletter, it appears that more than 11000 people have been sent the newsletters. There would be a reasonable amount of credit to be given to a very large organization if the mailing list of this size is sourced from them.  It is illegal to obtain data unlawfully. The Data Protection Act 2018 stipulates that it is a criminal offence to knowingly or recklessly obtain personal information without consent and that violating the law could result in a fine of up to an unlimited amount. It is important to note that all newsletters have a political bent. 

On July 1st, an e-mail was sent titled 'Tower Hamlets Will Reject Labour Party, Predicts East London Mosque Imam', which went on to promote the Women's British Party and express its opposition to Labour. On July 3rd, a newsletter titled "4 Reasons Tower Hamlets Will Reject Labour" was distributed. This publication featured a visual comparison between George Galloway and the current Prime Minister, Keir Starmer. 

The image juxtaposed Galloway with Starmer, placing an Israeli flag behind Starmer. Underneath Galloway's image, several policy positions were listed: "Permanent ceasefire now," "Abolish tuition fees," "Introduce rent controls," and "Keep NHS free." In contrast, beneath Starmer's image, the following statements were displayed: "‘Israel does have that right’," "Tuition fees will stay," "No rent control," and "Deport Bangladeshis." 

In the same newsletter, a campaign poster for Kamran Khan, the Workers Party of Britain (WPB) parliamentary candidate for Poplar and Limehouse, was also included. The poster emphasized the need for MPs in Tower Hamlets who oppose wars and genocide, questioning whether the Labour Party, under the leadership of Tony Blair and Keir Starmer, aligns with those values. More recently, on July 9th, another newsletter was circulated by "London Today." This publication featured an article with the provocative title, "Pro-Israel Rabbi Ponders Whether God Is an Antisemite," which mocked American rabbi and author Shmuley Boteach.

Hackers Exploit Security Flaws to Access Millions of UK Voters' Details

 


The UK's data privacy watchdog has found that the personal details of millions of UK voters were left exposed to hackers due to poor security practices at the Electoral Commission. The breach occurred because passwords were not changed regularly and software updates were not applied.

The cyber-attack began in August 2021 when hackers gained access to the Electoral Registers, containing details of millions of voters, including those not publicly available. The Information Commissioner's Office (ICO) has formally reprimanded the Electoral Commission for this security lapse. The Electoral Commission expressed regret over the insufficient protections and stated that they have since improved their security systems and processes.

No Evidence of Data Misuse

Although the investigation did not find any evidence of personal data misuse or direct harm caused by the attack, the ICO revealed that hackers had access to the Electoral Commission's systems for over a year. The breach was discovered only after an employee reported spam emails being sent from the commission's email server, and the hackers were eventually removed in 2022.

Accusations and Denials

The UK government has accused China of being behind the attack on the Electoral Commission. However, the Chinese embassy has dismissed these claims as "malicious slander."

Basic Security Failures

The ICO’s investigation surfaced that the Electoral Commission failed to implement adequate security measures to protect the personal information it held. Hackers exploited known security weaknesses in the commission's software, which had not been updated despite patches being available for months. Additionally, the commission did not have a policy to ensure employees used secure passwords, with 178 active email accounts still using default or easily guessable passwords set by the IT service desk.

Preventable Breach

ICO deputy commissioner Stephen Bonner emphasised that the data breach could likely have been prevented if the Electoral Commission had taken basic security steps. By not promptly installing the latest security updates, the commission's systems were left vulnerable to hackers.

This incident serves as a striking reminder of the importance of regular software updates and strong password policies to protect sensitive data from cyber-attacks.


Electoral Commission Fails Cyber-Security Test Amidst Major Data Breach

 

The Electoral Commission has acknowledged its failure in a fundamental cyber-security assessment, which coincided with a breach by hackers gaining unauthorized access to the organization's systems. 

A whistleblower disclosed that the Commission received an automatic failure during a Cyber Essentials audit. Last month, it was revealed that "hostile actors" had infiltrated the Commission's emails, potentially compromising the data of 40 million voters.

According to a Commission spokesperson, the organization has not yet managed to pass this basic security test. In August of 2021, the election watchdog disclosed that hackers had infiltrated their IT systems, maintaining access to sensitive information until their detection and removal in October 2022. 

The unidentified attackers gained access to Electoral Commission email correspondence and potentially viewed databases containing the names and addresses of 40 million registered voters, including millions not on public registers.

The identity of the intruders and the method of breach have not yet been disclosed. However, it has now been revealed by a whistleblower that in the same month as the intrusion, the Commission received notification from cyber-security auditors that it was not in compliance with the government-backed Cyber Essentials scheme. 

Although participation in Cyber Essentials is voluntary, it is widely adopted by organizations to demonstrate their commitment to security to customers. For organizations bidding on contracts involving sensitive information, the government mandates holding an up-to-date Cyber Essentials certificate. In 2021, the Commission faced multiple deficiencies in their attempts to obtain certification. 

A Commission spokesperson acknowledged these shortcomings but asserted they were unrelated to the cyber-attack affecting email servers.

One of the contributing factors to the failed test was the operation of around 200 staff laptops with outdated and potentially vulnerable software. The Commission was advised to update its Windows 10 Enterprise operating system, which had become outdated for security updates months earlier. 

Auditors also cited the use of old, unsupported iPhones by staff for security updates as a reason for the failure. The National Cyber Security Centre (NCSC), an advocate for the Cyber Essentials scheme, advises all organizations to keep software up to date to prevent exploitation of known vulnerabilities by hackers.

Cyber-security consultant Daniel Card, who has assisted numerous organizations in achieving Cyber Essentials compliance, stated that it is premature to determine whether the identified failures in the audit facilitated the hackers' entry. 

He noted that initial signs suggest the hackers found an alternative method to access the email servers, but there is a possibility that these inadequately secured devices were part of the attack chain.

Regardless of whether these vulnerabilities played a role, Card emphasized that they indicate a broader issue of weak security posture and likely governance failures. The NCSC emphasizes the significance of Cyber Essentials certification, noting that vulnerability to basic attacks can make an organization a target for more sophisticated cyber-criminals.

The UK's Information Commissioner's Office, which holds both Cyber Essentials and Cyber Essentials Plus certifications, stated it is urgently investigating the cyber-attack. When the breach was disclosed, the Electoral Commission mentioned that data from the complete electoral register was largely public. 

However, less than half of the data on the open register, which can be purchased, is publicly available. Therefore, the hackers potentially accessed data of tens of millions who had opted out of the public list.

The Electoral Commission confirmed that it did not apply for Cyber Essentials in 2022 and asserted its commitment to ongoing improvements in cyber-security, drawing on the expertise of the National Cyber Security Centre, as is common practice among public bodies.

Digital Disaster: Electoral Commission Data Breach Leaves 40 Million UK Voters Exposed

 


In the wake of the revelation that a hostile cyber-attack between February and May of last year was able to access the data of 40 million voters without being detected, along with the lack of notification to the public for about ten months, public confidence in the UK's electoral regulator has been sorely tested. 

It is estimated that the personal information of approximately 40 million U.K. voters has been vulnerable for over a year – as a result of the Electoral Commission falling victim to a complex cyberattack. It has been reported that in October 2022, the Electoral Commission noticed suspicious activity on its network and confirmed that it had detected it. 

The Electoral Commission is responsible for supervising elections in the country. Unidentified "hostile actors," however, gained access to the company's systems over a year earlier, in August 2021, and it was later revealed that the company had been compromised by such actors. 

There have been reports to the Information Commissioner's Office (ICO) as well as the National Crime Agency that the attack was detected within 72 hours after it was reported to them. An intrusion allowed unauthorized access to the servers of the Commission, which house email, control systems, and copies of the electoral registers that the Commission maintains for research purposes, having enabled the intrusion to become successful. It is currently unknown who the intruders are and where they came from.

However, the Commission did tell the BBC and The Guardian that it delayed this disclosure by another 10 months to prevent the adversary from getting access to the network, investigate the extent of the breach, and enforce security safeguards. It is not clear why the disclosure was delayed by another 10 months. 

As noted in the report, the Commission noted that the data that can be accessed is also able to be combined with information that is publicly accessible to "infer patterns of behaviour or to identify and profile individuals and groups of individuals." 

Furthermore, it said that the attack had no impact on the electoral process or the electoral registration status of any voters and that there is little risk to people in terms of their details held on the email servers of the company, except that they contain any sensitive information. 

Among the names and addresses included in the registers were those of a person residing in the United Kingdom, who will be eligible to vote between 2014 and 2022, as well as the names of those who plan to cast their ballots from outside of the United Kingdom. 

Nevertheless, they did not contain any information regarding those who qualified for anonymous registration as well as addresses for overseas electors who were registered outside of England and Wales. An attack was discovered by the Information Commissioner's Office (ICO) and the National Crime Agency within 72 hours of being discovered last October.

As a result, the ICO immediately reported the incident to both entities. Despite this, it was only recently disclosed to the public that millions of voters' data may have been if not all, accessible through the election registers over the last several years. 

There is no conclusive way that the Electoral Commission can determine what information had been accessed. The attackers are unknown to have been associated with a hostile state, such as Russia, or with a cyber gang that offers a criminal nature. 

The Electoral Commission has said that the records of most of these people would have been publicly accessible anyhow because they were on the open register, to begin with. However, a Sky News analysis reveals that about 28 million people missed out on the open registration system that year, as a result of their own decisions.