The UK’s Electoral Commission has revealed it has been the victim of a “complex cyber-attack,” exposing the personal details of millions of British voters.
The Commission revealed the attack was identified in October 2022 after suspicious activity was detected on its systems. A subsequent investigation found that the attackers had first accessed its servers in August 2021, the Commission reported in a notification published on August 8, 2023.
The malicious actors accessed “reference copies” of the electoral registers, held by the Commission for research purposes and to enable permissibility checks on political donations. This contained personal data of anyone in the UK who was registered to vote between 2014 and 2022, including names and home addresses. The names of those registered as overseas voters were also exposed.
The register did not include information of those registered anonymously.
Jake Moore, cybersecurity advisor at ESET said that it is “worrying” that the attack went undiscovered for 15 months and the authorities were not alerted of any abnormalities on their systems in that time.
“Cyber-criminals work best in stealth mode but rarely are they undetected for this length of time. However complex an attack is, it is saddening to see malicious actors break in and rummage around for so long,” he said.
Questions also arose on social media regarding 10 months for the Commission to inform the public of the incident.
The Commission explained via its official Twitter account: “We needed to remove the actors and their access to our system, assess the extent of the incident, liaise with the National Cyber Security Centre and ICO, and put additional security measures in place before we could make the incident public.”
When asked by one social media user whether the “hostile actor” could potentially influence the next UK General Election, expected in 2024, it stated: “There has been no impact on the security of UK elections. The data accessed does not impact how people register, vote, or participate in democratic processes. It has no impact on the management of the electoral registers or on the running of elections.”
⚠ UK Electoral Commission confirms data breach 🔥
— Will (@BushidoToken) August 8, 2023
🕵️♂️ Unnamed "hostile actors" blamed (APT > cybercrime)
🗃 Emails, servers, & electoral registers were accessed
🏡 Names and Addresses of voters (2014-2022)
🔎 Intrusion Identified: October 2022
🎯 Intrusion Began: August 2021 https://t.co/GkKsiDRqBQ
In addition, the Electoral Commission’s email system was also accessible during the attack, exposing further personal details of voters. As well as name and home address, this included email addresses, telephone numbers and any personal images sent to the Commission.]
Read more: Unraveling the EC Data Breach - Cybersecurity Experts Weigh In on the Implications
The Commission said the information affected in the breach “does not pose a high risk to individuals.” However, it had a duty to provide the August 8 notification “due to the high volume of personal data potentially viewed or removed during the cyber-attack” under Articles 33 and 34 of the UK General Data Protection Regulation (GDPR).
In its statement, the Commission apologised to all those affected and said it has worked with security specialists to investigate the incident and secure its systems against further attacks.
There is currently no indication as to who may have been behind the breach.
However, Russia-linked actors have frequently been accused of targeting nation-states electoral processes in recent years.
It is not the first time voter information has been exposed. In March 2022, it was revealed that tens of thousands of London voters had their personal details accidentally leaked by their council after emails were sent to the wrong recipients.