Confidence in the UK’s electoral regulator has been called into question after it was revealed that a hostile cyber-attack that accessed the data of 40 million voters went unnoticed for a year, and the public was not informed for an additional 10 months.
The Electoral Commission has apologized for the security breach, which allowed the names and addresses of all voters registered between 2014 and 2022 to be exposed to “hostile actors” as early as August 2021.
The attack was discovered last October and promptly reported to the Information Commissioner’s Office (ICO) and the National Crime Agency within 72 hours. However, it is only now that the public is being notified about the potential accessibility of the electoral registers containing the data of millions of voters throughout that period.
The Electoral Commission stated that it is unable to determine definitively what information was accessed. It is unclear whether the attackers were connected to a hostile state, like Russia, or a criminal cyber gang.
While acknowledging that voters may still be concerned, the watchdog claimed that “much of the data” was already in the public domain and emphasized the difficulty of influencing the outcome of the UK’s primarily paper-based electoral system. However, these assertions may not alleviate worries.
During the attack, the perpetrators were able to access complete copies of the electoral registers, which the commission holds for research purposes and to facilitate permissibility checks on political donations. These registers contain the names and addresses of anyone in the UK registered to vote between 2014 and 2022. The commission’s email system was also accessible to the attackers.
The full register held by the Electoral Commission contains name and address data that can be inspected by the public through electoral registration officers in a localized manner, with only handwritten notes allowed. This information cannot be used for commercial or marketing purposes.
The intruders in the IT system did not have access to the data of anonymous voters whose details are private for safety reasons or the addresses of overseas voters.
The attack has raised concerns about the integrity of the UK’s electoral system. However, the National Crime Agency has stated that it is “defending the UK’s democratic processes,” and strengthening the cyber-resilience of electoral systems is a top priority.
Prof Alan Woodward, a computer security specialist at the University of Surrey, expressed concerns about the reputational damage the Electoral Commission may suffer and the erosion of people’s confidence in the democratic process.
Andrew Rose, the chief information security officer for Europe at Proofpoint, a US cybersecurity company, commented on the seriousness of the breach and the potential consequences of undermining the democratic process.
Shaun McNally, the chief executive of the Electoral Commission, emphasized the difficulty of using a cyber-attack to influence the UK’s dispersed democratic process. However, he acknowledged that organizations involved in elections remain targets and must remain vigilant.
The commission stated that the delay in making the hack public was necessary to remove the actors and their access to the system, assess the extent of the incident, and implement additional security measures with the guidance of the National Cyber Security Centre and ICO.
While the Electoral Commission regrets the lack of sufficient protections to prevent the cyber-attack, it has taken significant steps to enhance the security, resilience, and reliability of its IT systems. The commission is aware of the systems that were accessible to the attackers but cannot definitively determine whether any files were accessed. It understands and apologizes for the concern caused by the potential accessibility of the registers.
The ICO has been contacted by the Electoral Commission regarding the incident and is conducting inquiries. The ICO reassured the public that the matter is being urgently investigated and advised anyone concerned about their data to get in touch with the ICO or visit its website for support and guidance.