The UK’s elections watchdog has revealed it has been the victim of a “complex cyber-attack” potentially affecting millions of voters, first identified in October 2022.
The Electoral Commission’s notice said unspecified ‘hostile actors’ had managed to gain access to the system in August 2021.
The commission explained that it first needed to stop the hackers' access, examine the extent of the incident, and put additional security measures in place before making the attack public.
Defending the delay, commission chair John Pullinger said: "If you go public on a vulnerability before you have sealed it off, then you are risking more vulnerabilities."
The ‘complex cyber-attack gave the perpetrators access to the Commission’s servers which held emails, control systems, and copies of the electoral registers.
The registers held during the cyber-attack include the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. The registers did not include the details of those registered anonymously.
The public notice issued by the Commission states that a high volume of personal data had potentially been viewed or removed during the cyber-attack.
According to risk assessments carried out by the Information Commissioner’s Office, it has been drawn that the personal data held on the electoral registers - typically name and address - does not itself present a high risk to individuals.
But when this data is combined with other data in the public domain which has voluntarily been shared by individuals, one could infer patterns of behaviour or identify and profile individuals.
The personal data held on the Commission’s email servers is also unlikely to present a high risk to individuals unless someone has sent sensitive or personal information as an attachment or via a form on the Commission’s website.
Information may include medical conditions, gender, sexuality, or personal financial details. However, information related to donations and/or loans to registered political parties and non-party campaigners is held in a system not affected by this incident.
Joe Tidy, a cyber reporter for the BBC said, “But make no mistake this is still a serious breach and the nature of the attack is telling.”
It has been advised for anyone who has registered to vote between 2014 and 2022 to remain vigilant for the unauthorized use or release of their data.
The Commission has taken further steps to increase the security and protection of personal data - by strengthening its network login requirements, improving the monitoring and alerting system for active threats, and reviewing and updating its firewall policies.
The Commission has worked with external security experts and the National Cyber Security Centre to investigate and secure its systems.
Share This Post On
Leave a comment
You need to login to leave a comment. Log-in