The Electoral Commission and Police Force Data Breaches Highlight Major Security Holes in Britain’s Public Sector – How Do We Solve Them?

Serious data breaches at the Electoral Commission and multiple UK police forces have highlighted that public sector organisations aren’t immune to the threat posed by cybercriminals.

In August, the Electoral Commission confirmed it was the victim of “a complex cyber-attack” that compromised the personal information of 40 million British citizens. The breach, which first occurred in August 2021, remained undiscovered until October 2023 and saw hackers retrieve electoral register reference copies. This meant they had access to the names and addresses of millions of UK voters.

The Commission admitted that “sufficient protections were not in place to prevent this cyber-attack”, and it is now apparent that the government agency failed a Cyber Essentials test designed to improve organisations’ cyber defences prior to the attack taking place. In light of the seriousness of the August 2021 attack, the organisation claims to have begun work to “improve the security, resilience, and reliability” of its IT systems.

Elsewhere across the UK public sector, multiple British police forces have recently experienced significant data breaches. In August, London’s Metropolitan Police alerted tens of thousands of its staff to a data breach caused by “unauthorised access to the IT system of a Met supplier.”

The IT vendor in question had information like names, ranks, photos, vetting levels, and pay numbers for the Met’s police officers and staff on file. However, the Met said the hack didn’t result in the leak of personal data like names, addresses and financial information. Other British police forces to experience recent data breaches include Greater Manchester Police and the Police Service of Northern Ireland.

These data breaches have proven that personal data isn’t necessarily safe in the hands of government agencies and that they must do more to improve their cybersecurity capabilities. But what cybersecurity frameworks and best practices can they implement to ensure these incidents never happen again?

Critical Lessons To Be Learned

One of the biggest lessons of these breaches is that even highly secure databases are vulnerable to breaches and remain lucrative targets for cybercriminals. Reviewing and limiting access privileges to databases containing large volumes of personal data is an excellent first step, but it’s not the only thing organisations should consider.

With the cyber threat landscape evolving at an unprecedented speed, organisations must remain one step ahead of cyber criminals by anticipating the security vulnerabilities and hacking methods they may leverage in their attacks. The only way to do this is by conducting regular cybersecurity audits and staying up-to-date with the latest cybersecurity threats.

Understanding that data breaches cause more than just financial loss is vital, too. Given the crucial role the Electoral Commission, police forces and other government agencies play in public life, they can’t afford to lose citizens’ trust. But unfortunately, reputational damage and the erosion of public trust are vast risks of cyber attacks impacting public institutions. Moreover, these organisations typically feel the full force of regulatory bodies – significantly undermining their essential public work.

David Sancho, a senior threat researcher at cybersecurity firm Trend Micro, described the Electoral Roll and police force data breaches as “good examples of cases where organisations are not taking the security of the data they are protecting seriously”.

Sancho warned organisations not to neglect data security “because attackers are ready to pounce at any moment”. He said that no matter their size, every company and organisation is “subject to cyberattacks,”

He added: “In my experience, some place security spending at a lower priority with a reasoning such as “it won’t happen to us, we’re not worth a cyber attacker’s time”. This should not happen, and all companies should be ready for attempts like these.”

Improving Cybersecurity Foundations

Whether it’s financial loss, reputational damage or regulatory repercussions, many of these risks can be avoided when organisations take the threat of cybercrime seriously. But actions speak louder than words – organisations shouldn’t just promise to improve their cyber security posture in a public statement after a severe breach but take concrete, qualitative steps to strengthen their cybersecurity foundations.

With human error playing such a prominent role in data breaches, organisations need to do more to educate their staff on spotting and mitigating cybersecurity risks. As the cyber risk landscape continues to involve, a single PowerPoint presentation to tick a box won’t cut it. Both public and private sector organisations must regularly roll out staff training and awareness campaigns. Organisations like the National Business Crime Centre offer free cyber security training for employees, so cyber awareness doesn’t have to eat into company budgets.

Another basic but essential step to improving an organisation’s cybersecurity foundations is regularly updating software and systems to fix security vulnerabilities. Migrating from outdated operating systems like Windows 7 and 8 will also prevent software security holes. Implementing multi-factor authentication will also decrease the likelihood of nefarious parties gaining unauthorised access to an organisation’s IT systems.

Implementing an internationally recognised industry framework like the Cybersecurity Framework from the National Institute of Standards or ISO 27001 will ramp up organisational cyber resilience. These frameworks help organisations with areas like asset management, access controls, vulnerability management, incident response, third-party security and continuous improvement.

Luke Dash, CEO of ISMS.online, said such frameworks will help organisations “significantly improve resilience against attacks”. In light of the Electoral Roll and Police Force data breaches, he urges governments to make implementing cybersecurity frameworks mandatory in government agencies – especially if they hold sensitive data – along with audits and framework certification.

Integrating These Learnings And Frameworks

Implementing a cyber security framework and improving cyber resilience will be entirely new for many organisations. So, what can they do to achieve these objectives successfully?

Dash says organisations mustn’t view cybersecurity as an “afterthought”. The key to cyber resilience is “dedicated focus, resources and an ongoing commitment. He continued: “Implementing a robust framework can help strengthen defences before a breach occurs. The public deserves world-class security for their data, and these frameworks provide a blueprint. Work is still to be done, but the path forward is clear.”

Increasing the visibility of an organisation’s networks will also help them protect sensitive data, according to Sancho. He recommended: “You accomplish that with software that analyses network behaviour and can flag disparate anomalies as a concerted hacking effort. Having this improved visibility can allow a defender to understand that they are under attack before the damage is done.”

Regardless of industry or size, all organisations processing and storing sensitive information must also take steps to understand data privacy laws like the General Data Protection Regulation.

Kevin Modiri, a solicitor at law firm Nelsons, said: “The General Data Protection Legislation (GDPR) came into force in 2018 and governs how we can use, process and store personal data, including any information about an identifiable, living person. The legislation applies to all organisations, including those that supply goods and services.”

Key Takeaways

The Electoral Roll and police force data breaches were unfortunate incidents that affected millions of people, but what’s clear is that they have presented valuable lessons for organisations handling sensitive information.

Perhaps the biggest lesson is that all organisations must assess their cybersecurity capabilities and take ongoing measures to secure sensitive data. Waiting for breaches to happen is not an option with so much at stake, including financial loss, reputational damage and regulatory action.

Effective measures for preventing data leaks include the implementation of international cybersecurity frameworks and delivering regular, consistent cybersecurity training for everyone within the organisation.