The UK’s electoral oversight body has disclosed that it fell victim to a “sophisticated cyber attack” that could potentially impact millions of voters.
The Electoral Commission revealed that unidentified “malicious actors” were able to breach its systems and access copies of the electoral registers dating back to August 2021. The breach also involved unauthorised access to the commission’s emails and control systems, although the attack was only discovered in October of the preceding year.
The commission has issued a public advisory urging individuals to remain vigilant regarding unauthorised use of their personal data.
CEO Shaun McNally stated that the commission is aware of the specific systems the hackers gained access to, but couldn’t definitively ascertain which files were accessed.
According to the commission’s announcement, the accessed data encompassed the names and addresses of UK citizens who registered to vote from 2014 to 2022. This includes those who chose to keep their information off the open register, which can be obtained by entities like credit reference agencies.
Although the data breach involved the names of overseas voters, their addresses were not compromised. The information of those who registered anonymously for safety or security reasons remained untouched.
While the exact number of affected individuals is difficult to ascertain, the commission estimates that each yearly register contains details of approximately 40 million people. It emphasised that the personal data held on its email servers poses minimal risk to individuals. However, email content and attachments could be vulnerable.
The commission clarified that the personal data stored in the electoral registers, such as names and addresses, isn’t inherently high-risk. Nevertheless, there’s potential for this data to be merged with other public information to identify and profile individuals.
Although the precise timeline of when the hackers’ access was halted hasn’t been disclosed, the commission assured that immediate action was taken to secure the systems after the breach was detected in October 2022.
The incident did not affect information about donations and loans to political parties and registered campaigners, as that data is stored in a separate, unaffected system.
The commission stressed its commitment to enhancing system security against future cyber threats through updates to login requirements, alert systems, and firewall policies.
The Information Commissioner’s Office, responsible for data protection in the UK, confirmed it’s conducting an urgent investigation into the matter.