The United Kingdom's Information Commissioner's Office (ICO) said that the Electoral Commission was compromised in August 2021 due to its failure to patch its on-premise Microsoft Exchange Server against the ProxyShell vulnerabilities. The breach has been attributed to a Chinese state-backed threat actor tracked as APT31 by the UK National Cyber Security Centre (NCSC).

The vulnerabilities exploited in the attack are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. The flaws were chained together to infiltrate the commission's Exchange Server 2016, deploying web shells that provided the attackers with persistent access. Microsoft had issued security updates to address the ProxyShell vulnerabilities in May 2021, but the Electoral Commission did not apply the patches in a timely manner, leaving their systems exposed.

The breach and the deployed malware were discovered on October 28, 2021, when an employee noticed the Commission's Exchange server was being used to send spam emails. During the intrusion, the Chinese hackers accessed the personal information of approximately 40 million people, including names, home addresses, email addresses, and phone numbers.

Despite the severity of the breach, the Electoral Commission downplayed its impact, asserting that “much of it is already in the public domain.” In the UK, only voters' names and addresses are publicly available in the open register, meaning that other compromised information was not meant to be publicly accessible.

The ICO has reprimanded the UK elections authority for failing to adequately protect its systems and the personal data of millions of voters.

Stephen Bonner, ICO Deputy Commissioner, said that basic security measures, such as effective patch management and password security, could have prevented the breach.

“If the commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened,” Bonner said.

However, the official noted that there is no evidence suggesting any misuse of the personal information since it was accessed in 2021. The ICO has found no indication that the breach has directly harmed the affected voters.