40M UK Voter Register Records Were Stolen in Preventable Security Breach

• Cybercriminals stole 40 million UK voter register records from the country’s Electoral Commission.
• UK's Information Commissioner’s Office reveals the Electoral Commission breach happened due to poor security patching.
• The hackers exploited ProxyShell flaws that permitted Elevation of Privilege and Remote Code Execution.

Hackers have exfiltrated 40 million voter register records via a cyberattack due to the lack of basic security measures of the U.K. Electoral Commission, which stores copies of the British register of citizens eligible to vote in elections, according to a report by the U.K.’s Information Commissioner’s Office (ICO) data protection monitoring agency.

The Commission said that hackers stole various data, including copies of the U.K. electoral registers, which contained details on voters registered between 2014 and 2022, such as their names, home addresses, phone numbers, and unnamed private data.

The ICO report blames a series of security failings in the Electoral Commission’s systems for the data breach that began in August 2021, such as ineffective patching of known software vulnerabilities in its email server and improper password management – which the Commission confirmed soon after. 

Apparently, hackers used email servers for initial access. The Commission’s email was a self-hosted Microsoft Exchange server that was infiltrated by at least two groups of threat actors during 2021 and 2022. 

They exploited three flaws referred to as “ProxyShell” to enter and control the systems and deploy malware: CVE-2021-34473 (pre-auth path confusion leading to ACL bypass), CVE-2021-34523 (Elevation of Privilege on Exchange PowerShell backend), and CVE-2021-31207 (post-auth arbitrary file write leading to Remote Code Execution).

Microsoft released patches for these several months earlier in 2021, and the U.S. cybersecurity agency CISA warned about the active exploits in August 2021.

The organization discovered the unauthorized intrusion one year later and publicly disclosed it in August 2023.

The U.K. government later said that China state-affiliated actor APT31 (aka “Zirconium” or “Hurricane Panda”) was “almost certainly” at fault. The cybercriminals are known for targeting government entities in the U.S., Canada, Russia, Belarus, and Mongolia, as well as Europe-based companies and also public agencies in Finland, France, Germany, and Norway.