UK's Electoral Commission had its Microsoft Exchange servers compromised in a cyberattack by Chinese state-backed threat operation APT31 three years ago that exposed almost 40 million individuals' data due to its failure to remediate ProxyShell vulnerabilities, tracked as CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523, according to The Record, a news site by cybersecurity firm Recorded Future.
Aside from not applying the fixes for the ProxyShell flaws, the Electoral Commission also had its servers impacted by eight other security issues, which could have been leveraged in additional compromise, a report from the UK's Information Commissioner’s Office revealed.
Numerous Electoral Commission accounts also had similar passwords or default credentials, which could increase vulnerability to intrusions, said the ICO, which noted that several security improvements have already been implemented by the agency following the incident. "If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened," said ICO Deputy Commissioner Stephen Bonner.