A whistle-blower at the Electoral Commission has told the BBC that the Commission failed a basic “Cyber Essentials” audit around the time it was hacked in 2021.

It was revealed last month that the Commission became aware of an attack in October 2022, but that hostile actors gained access to the system in August 2021. The attack was of such a scale that attackers had access to the name and address details of every registered voter in the country, including those not on the public register. Whether data was exfiltrated remains unknown.

The Commission still hasn’t explained why it took 10 months to make its knowledge of the attack public and we still don’t know who was behind it.

Now a whistleblower has revealed that the same month that hostile actors were accessing email servers, control systems and copies of the electoral registers, the Commission was told by cybersecurity auditors that it was not compliant with the Cyber Essentials scheme.

The Cyber Essentials scheme is backed by both the government and the National Cyber Security Centre (NCSC) and sets minimum standards for cybersecurity best practice. The scheme is voluntary, but the government requires all bidders for any contract requiring the processing or storage of sensitive or personal data to meet these minimum standards and have a Cyber Essentials certificate to prove it.

However, when the Commission sought basic certification in 2021 it failed for multiple reasons, including running software that was no longer supported and therefore not subject to security updates on both laptops and phones. The NSCC advises all organisations to keep software up to date “to prevent known vulnerabilities from being exploited” by hackers.

A spokeswoman for the Commission confirmed that the organisation had failed the Cyber Essentials audit, but told the BBC that these failings weren’t linked to the cyber-attack that impacted email servers.

As with the original statement last month, the response of Electoral Commission to this allegation raises as many questions as it answers. The Commission, and the Information Commissioner’s Office are still investigating the attack. If the Commission feels sufficiently confident to state that the compromises of the email servers were not enabled via the access route of out-of-date software, that implies that the Commission does now know how that compromise occurred. This information has not been released.

Secondly, the wording of the latest statement is very specific. It only mentions email servers. Email servers were not the only systems compromised and they may not have been the attack vector.