The Electoral Commission has confirmed that it has not passed a Cyber Essentials test – one of the basic requirements for good cyber security – over the past two years.
The acknowledgement has come weeks after the organisation said it had been the subject of a cyber attack in August 2021, and that it first identified access to its systems in October 2022.
In response to a report by the BBC, the commission confirmed to UKAuthority that it did not pass the Cyber Essentials test in 2021 due to issues related to an earlier version of Windows on some laptops and a data version of staff mobiles. It added, however, that these were not related to the cyber attack in any way.
It did not take a test in 2022.
An Electoral Commission spokesperson said: “We are always working to improve our cyber-security and systems. We draw on the expertise of the National Cyber Security Centre – as many public bodies do – to continue to develop and progress protections against cyber-threats.
“We regularly seek guidance and feedback on our systems to deal with the continued risk of cyber threats as they evolve and take different forms. We welcome these learnings and act on them.”
Important element of security
Cyber Essentials, which was set up by the National Cyber Security Centre and is run by the IASME consortium, provides certification for organisations that they can show they have taken the appropriate steps to maintain strong cyber security. It is widely regarded as an important element of security in the public sector.
The data breach of last month involved hostile actors accessing reference copies of electoral registers held by the commission for research purposes and to enable permissibility checks on political donations. At the time the commission said there had been no indication of any information being copied, removed, or published online.
The incident is now being investigated by the Information Commissioner’s Office.
