40M Voters Exposed: Security Lessons from a Major Breach

Over the next 12 days, this mini-series will share short, real-world security lessons from recent incidents, and industry trends. Each post will focus on a single topic, highlight what happened, and outline practical steps organisations can take to reduce risk. The aim is to provide short, accessible insights that reflect how security challenges are unfolding in practice, without long technical breakdowns or high-level theory.

In 2024, the ICO formally reprimanded the Electoral Commission after a cyber security incident exposed the personal information of approximately 40 million voters.

What Happened (Timeline & Facts)

• On 24 August 2021, attackers gained unauthorised access to the EC’s on-premise Microsoft Exchange Server, exploiting known vulnerabilities (the so-called “ProxyShell” vulnerability chain).
• Sensitive personal data on the electoral register, primarily names and home addresses, became accessible.
• The compromise remained undetected until October 2022, over a year later.
• In July 2024, the ICO issued a reprimand, finding that EC had failed to implement basic technical and organisational safeguards, namely patching known vulnerabilities and enforcing secure password policies.

Despite the scale, the ICO stated that it found no evidence of misuse of the exposed data.

After public disclosure, the EC committed to modernising its infrastructure, rolling out password policy improvements, and implementing multi-factor authentication (MFA) for all users.

Why It Matters (Beyond ‘Another Breach’)

• 40 million record is roughly two-thirds of the UK voting population – the exposure was huge.
• The breach wasn’t triggered by zero-day or widely unknown malware, it was due to a failure to patch and poor password hygiene. These kinds of issues are avoidable but common, even in large organisations.
• Attackers had privileged access for over a year, this shows that prevention alone (patching, security tools) isn’t enough. Detection, monitoring, and timely response are just as critical.

Lessons Worth Implementing (If you Haven’t Already)

• Patch quickly and consistently. Delays in applying security updates cost the EC greatly.
• Don’t rely on defaults. Default credentials and weak password policies dramatically increase risk.
• Implementing logging & ongoing monitoring. Silent compromises often stay hidden until it’s too late.
• Treat data sensitivity at scale seriously. Even “just names and addresses” become high-value when aggregated across millions of people.
• Use layered security. Combine patching, MFA, good password hygiene, logging, and regular audits.

Closing Thoughts

The EC breach shows that sometimes, major security failures aren’t about exotic exploits, they are down to basic hygiene failures. In modern cyber risk, living up to the basics (patching, passwords, monitoring) can mean the difference between safe data and a 40-million-person exposure.