Hackers gain access to UK voters’ data following cyber attack

The Electoral Commission has revealed it has been the subject of a “complex cyber attack” that made copies of electoral registers from August 2021 accessible to hackers.

The attack went undetected for over a year and was only identified in October 2022, the elections watchdog has admitted. The Commission said it has not identified the authors of the attack, adding it is “difficult to accurately predict a figure” for how many people’s data had been affected. 

In a public notice, the Commission admitted the attackers would have been able to access the names and addresses of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of overseas voters. This would make it one of the largest data breaches to take place in the UK. 

These records are kept by the Electoral Commission for research purposes and conducting checks on political donors. They did not include details of anyone who registered anonymously. 

“We regret that sufficient protections were not in place to prevent this cyber attack,” said Shaun McNally, the Electoral Commission CEO. “Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience and reliability of our IT systems.

“The successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.”

The Commission stressed it was unlikely that the data would be used to influence elections, as key aspects of the process remain based on “paper documentation and counting”. However, it did warn of the risk of the data being used to infer patterns of behaviour or to identify and profile people. 

“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected,” McNally added. 

Once the breach was discovered, it was reported within 72 hours to the Information Commissioner’s Office (ICO), as well as the National Crime Agency, the Commission said. 

The National Cyber Security Centre (NCSC) said it had given the commission “expert advice and support to aid their recovery after a cyber incident was first identified”, adding that “defending the UK’s democratic processes is a priority”.

The ICO has said it was “investigating as a matter of urgency”.

Over the past three years, the Covid-19 pandemic and Russia’s invasion of Ukraine have created conditions that have favoured a dramatic increase in cyber crime, effectively turning the cyber space into what Australia’s cyber-security agency has described as “the domain of warfare”.

This rise in cyber crime has affected governments and organisations across the world. The UK’s NHS, the US’s Apple and even the Albanian government have all suffered severe cyber attacks that have disrupted their services and put their users’ personal information at risk.

Earlier this summer, a flaw in the MOVEit Transfer application exposed the personal data of employees at private companies such as the BBC, Boots, British Airways and Aer Lingus, as well as public bodies including the government of Nova Scotia in Canada.