News Hub

UK Electoral Commission suffers cyberattack, millions of UK voters’ data compromised

Written by Tue 8 Aug 2023

The UK Electoral Commission has reported a ‘complex cyberattack on its systems’ by hostile actors. Millions of UK voters’ data could be compromised.

The hostile actors gained access to the Electoral Commission’s servers, which held copies of the electoral registers.

The attack

In October 2022, suspicious activities led to the discovery that the Commission’s systems had been compromised. Investigations revealed that hostile actors had gained unauthorised access to the Commission’s servers as early as August 2021.

These servers housed the Commission’s emails, control systems, and copies of the electoral registers. The attackers could view reference copies of electoral registers from 2014 to 2022, including details of UK residents and overseas voters, but not anonymous registrations.

“While much of this data is already in the public domain, we understand the concern this may cause,” said the Electoral Commission on X (Twitter).

Once discovered, the Commission liaised with the National Cyber Security Centre and ICO, putting additional security measures in place before making the incident public.

Under Articles 33 and 34 of the UK General Data Protection Regulation, the Commission must notify data subjects if their data has been breached by inappropriate access, loss, or theft from our systems.

The Commission said in a statement: “We understand the concern this attack may cause and apologise to those affected. It is our assessment that the information affected by this breach does not pose a high risk to individuals and this notification is being given due to the high volume of personal data potentially viewed or removed during the cyberattack.”

The Commission stated it does not know who is responsible for the attack. As of yet, no groups or individuals have claimed responsibility for the attack.

“The cyber attack on the Electoral Commission remaining undetected for over a year – allowing hackers to freely lurk within its systems – is extremely concerning. Elections are the cornerstone of democracy and the infiltration of such processes is a threat that must be addressed,” said Doug Lucktaylor, Head of Information Security at CSS Assure.

Lucktaylor added that the most successful breaches are the ones that go unnoticed. He suggested that all institutions should proactively monitor their networks and systems, as well as maintain a constant awareness of who has access and their activities within their systems.

Individuals should remain vigilant, as cybercriminals have the ability to combine breached data with other publicly-available information to create comprehensive profiles and achieve effective social engineering attacks.

> Concerned? Read the Electoral Commission’s FAQs

The implications

The compromised email system contained various personal data such as names, addresses, contact numbers, email addresses, any content within emails or webforms that might have included personal data, and personal images sent to the Commission.

The personal data held on the Commission’s email servers is said to not present a high risk to individuals unless someone has sent sensitive or personal information in the body of an email, as an attachment, or via a form on the Electoral Commission website.

Data breached within the electoral register included personal details like names, home addresses, and specific dates on which individuals would attain voting age.

While this data in isolation might not pose a significant risk, the possibility of combining it with other publicly available information could lead to inference of potential behavioural patterns and profiling of individuals.

“No immediate action needs to be taken in response to this notification. However, anyone who has been in contact with the Commission, or who was registered to vote between 2014 and 2022, should remain vigilant for unauthorised use or release of their personal data,” said the Commission.

How did the Electoral Commission respond to the cyberattack?

Once alerted to the breach, the Commission engaged with the National Cyber Security Centre and external security experts to investigate the intrusion and bolster its defenses.

Measures included strengthening network login prerequisites, enhancing monitoring systems to detect potential threats more efficiently, and reviewing and updating firewall policies for robust protection.

What does it mean for UK voters?

Despite the cyberattack, the Electoral Commission said there has been no impact on the security or management of UK elections, as the breached data does not impact how people register, vote, or participate in democratic processes. The electoral registration status of individuals also remained unaffected.

Individuals who have had interactions with the Commission, or were registered voters between 2014 and 2022, are still advised to remain vigilant for any unauthorised use of their personal data.

The Commission has assured its stakeholders that the systems governing donations and/or loans to political entities were unaffected.

Those concerned can contact the Electoral Commission’s Data Protection Officer via email ([email protected]).

For concerns, queries, or complaints related to the incident, individuals also retain the right to contact the Information Commissioner’s Office (ICO).

Moving forward

This cyberattack highlights the ever-present digital threats, serving as a reminder of the evolving nature of cyberthreats and the importance of continuous vigilance of all systems.

“Intrusions into election related networks are not tantamount to manipulation of the vote. We should be careful not to ascribe too much meaning to these incidents, which could serve the adversary’s interest. Ultimately, adversaries seek to undermine our democratic institutions and more often than not they do that by overstating their own power,” said John Hultquist, Mandiant Chief Analyst at Google Cloud.

In the past Russia’s GRU has taken advantage of election related intrusions in Ukraine to suggest they have manipulated the vote, despite lacking the ability to do so. Similarly, in 2020 Iran faked a hack of US election related systems to suggest they manipulated the vote.

> Read more: One in three businesses faced cyber attacks last year, report says

Hungry for more tech news?

Sign up for your weekly tech briefings!

Written by Tue 8 Aug 2023

Send us a correction Send us a news tip