/cdn.vox-cdn.com/uploads/chorus_asset/file/23318433/akrales_220309_4977_0182.jpg "UK Voter Data Breached for Over One Year by Hackers Without Detection")
A cyberattack that started in August 2021 exposed personal data of individuals in the United Kingdom who registered to vote between 2014 and 2022. The attack wasn’t detected until October 2022, according to the UK Electoral Commission. The BBC also reported that the attackers had access to data from voters who had chosen to keep their data off public voter rolls.
The Electoral Commission stated on X (formerly Twitter) that it delayed reporting the incident to stop the attack, assess its extent, strengthen its systems, and coordinate with the National Cyber Security Centre and the UK Information Commissioner’s Office.
According to the Electoral Commission, much of the data was already in the public domain, but there may still be a risk for those whose data was obtained from the UK’s independent elections watchdog. The hackers gained access to servers containing copies of voter registration data, email communications, and control systems. The commission emphasized that email server data poses a higher risk due to potential inclusion of sensitive details from email text or attachments.
The notice stated that data from the election register, including names, addresses, and personal details, has a lower risk. However, malicious actors could analyze it alongside other data to deduce patterns of behavior or identify individuals. Fortunately, the commission did not retain address information for overseas voters or anonymous registrants.
According to CEO Shaun McNally’s statement published at BBC, the UK Electoral Commission cannot confirm which files were accessed. Commission chair John Pullinger described the attack as “very sophisticated” but clarified that the hackers were unable to manipulate or delete any information. The commission also lacks certainty about the identity of the attackers, as mentioned in a Twitter thread.
UK Electoral Commission CEO Shaun McNally expressed limited concern regarding the impact on previous or future UK elections. McNally told The Guardian that because crucial aspects of the democratic process rely on “paper documentation and counting,” it would be challenging for a cyberattack to influence the process.
The UK Electoral Commission advises that immediate action is not required. However, if you believe your data may have been compromised in the attack (if you registered to vote between 2014 and 2022), the commission suggests remaining vigilant for signs of unauthorized use of your information.