
The Electoral Commission has acknowledged that while hackers had access to its systems, it had previously failed a basic cyber-security test.
A source reported to the BBC that the Commission was assessed as ineligible in a Cyber Essentials evaluation.
In August, the Commission disclosed that "adversarial forces" had gained access to its emails and possibly the information of 40 million electors.
A spokesperson declared that the Commission had yet to meet the minimum requirements.
In August 2021, the election watchdog reported that hackers had infiltrated their IT systems and had access to sensitive data until they were found and expelled in October 2022.
The anonymous perpetrators obtained access to emails from the Electoral Commission and could have seen databases that store the names and addresses of 40 million enrolled voters, including millions who are not included in public records.
The identity of the person responsible for the infiltration and the details regarding how they infiltrated the commission remain undisclosed.
Now, a whistleblower has come forward to disclose that during the same month of the hacking incident, the Commission was informed by cyber-security evaluators that it did not adhere to the Cyber Essentials strategy - a support system sponsored by the government for organisations to acquire the most basic security standards in cyber-security.
Organisations often opt for Cyber Essentials as a way to demonstrate to their customers that they take security seriously.
An up-to-date Cyber Essentials certification is obligatory for vendors wishing to participate in tenders for contracts that involve the management of personal and confidential records.
Despite attempting to become certified in 2021, the Commission was unsuccessful in a number of areas.
A Commission spokesperson conceded the shortcomings but maintained that they weren't associated with the cyber-assault that had a disruptive effect on email servers.
The reason for the test's failure was due to approximately 200 staff laptops running out-of-date and possibly insecure software.
The Commission was implored to modernize the Windows 10 Enterprise operating system, which had been obsolete for security updates for months prior.
Auditors declared the failure as a consequence of staff utilizing iPhones that have become obsolete and thus do not get security updates from Apple.
The NCSC, which endorses the Cyber Essentials scheme, advocates that all organisations should regularly update their software in order to stop hackers from using known vulnerabilities.
Daniel Card, a cyber-security consultant, has been instrumental in assisting various organisations to be considered Cyber Essentials compliant. It is yet too soon to decide if the audit-revealed flaws enabled hackers to gain access.
He said that the evidence suggests the hackers used an alternate approach to breach the email servers, although there is a possibility the attack route could have included one or multiple inadequately shielded devices.
He added that, regardless of whether or not the hackers committed the act, there is a suggestion of a lack of security procedures and a possibility of failure in leadership.
The NCSC encourages adoption of Cyber Essentials credentials, noting that having "weakness to fundamental assaults can single you out as a goal for further, undesired scrutiny from cyber-punks and other people."
The UK's Information Commissioner's Office (ICO), having acquired certification of Cyber Essentials and Cyber Essentials Plus, is undertaking an urgent investigation into the cyber-attack.
When the hack was made public, the Electoral Commission declared that the information hacked from the full electoral register was "mainly accessible to the public".
Yet, only a fraction of the information present in the open register, which can be purchased, is actually obtainable by the public. Thus, the hackers were able to gain access to data pertaining to the tens of millions of people who have requested exclusion from the public database.
The Electoral Commission declared that it did not submit a request for the Cyber Essentials program in 2022.
We constantly strive to better our cyber-security and systems, and take advantage of the National Cyber Security Centre's experience - similar to what many public entities do - to continue developing and advancing our defences against cyber-attacks," the statement said.
Comments