Full Report
ISACA London Chapter members demand e-voting system investigation over security and privacy concerns
Analysis Summary
# Incident Report: Security Concerns Raised Over ISACA London Chapter E-Voting System
## Executive Summary
Security concerns were publicly raised by a committee member regarding the ISACA London Chapter's hastily deployed e-voting system intended for the March 13 Extraordinary General Meeting (EGM). The primary risks identified centered on a critical lack of secondary authentication and the absence of post-vote confirmation, creating significant potential for fraud and undermining the integrity of the election process. Response actions focused on public scrutiny and criticism, highlighting systemic weaknesses in the governance process's security posture.
## Incident Details
- **Discovery Date:** March 12, 2025 (When criticism was published)
- **Incident Date:** Prior to March 11, 2025 (System deployed and process accepted)
- **Affected Organization:** ISACA London Chapter
- **Sector:** Professional Association / Governance
- **Geography:** London, UK (Implied)
## Timeline of Events
### Initial Access
- **Date/Time:** Not explicitly stated, but the system was deployed before the March 11 deadline for proxy voting submission.
- **Vector:** Implied failure in secure system deployment/selection.
- **Details:** The e-voting system was "deployed hastily" without necessary security measures.
### Lateral Movement
- **Details:** Not applicable; the incident focused on the integrity of the voting mechanism itself rather than network intrusion.
### Data Exfiltration/Impact
- **Details:** Potential for fraudulent voting due to weak authentication, undermining the integrity of the board election process.
### Detection & Response
- **How it was discovered:** Public criticism and analysis published by Allan Boardman (Founder of CyberAdvisor.London and Committee Member) on March 12, 2025.
- **Response actions taken:** Public dissemination of security concerns, putting the system under scrutiny just before the election.
## Attack Methodology
*Note: The article describes *vulnerabilities* that enable attack, not a successful external breach.*
- **Initial Access:** N/A (Focus on system design flaw).
- **Persistence:** N/A
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A
- **Credential Access:** Potential for easy credential abuse due to reliance on membership number alone.
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** N/A
- **Exfiltration:** N/A
- **Impact:** Compromise of electoral integrity/governance process.
## Impact Assessment
- **Financial:** Not quantified, but potential costs associated with remediation or re-running elections if fraud were proven.
- **Data Breach:** Primarily focused on the integrity of credentials/voting records, potential exposure of membership IDs if an attacker with database access exploited the system.
- **Operational:** Risk to the legitimacy of the election for the next board of directors.
- **Reputational:** Significant reputational damage to the ISACA London Chapter due to hurried deployment and security omissions.
## Indicators of Compromise
- **Network indicators:** None provided / Not applicable (Focus on design flaw).
- **File indicators:** None provided.
- **Behavioral indicators:** Unauthenticated voting activity (hypothetically possible).
## Response Actions
- **Containment measures:** Public exposure of the flaw served as a call to action, though formal containment steps are not detailed.
- **Eradication steps:** Not specified, but likely required immediate review or modification of the voting process before the EGM on March 13.
- **Recovery actions:** Not specified.
## Lessons Learned
- **Key takeaways:** Hastily deploying critical governance systems (like e-voting) without adequate security scrutiny inherently introduces unacceptable risk to integrity.
- **What could have been done better:** Mandatory implementation of secondary authentication verification (MFA or equivalent) and provision of post-vote audit trails/confirmations.
## Recommendations
- **Prevention measures for similar incidents:** All systems handling critical governance processes or sensitive data must undergo a formal, documented security review and penetration testing *prior* to deployment, especially for systems relying solely on a single identifier (like a membership ID) for authentication.