The UK’s Electoral Commission has disclosed that a cyberattack left the personal data of approximately 40 million voters exposed for more than a year. This regulatory agency, responsible for overseeing party and election financing and elections within the country, identified itself as the victim of a sophisticated cyber breach. Although it first noted suspicious behavior on its network in October 2022, it determined that the attackers had first infiltrated its systems back in August 2021.
The wrongdoers managed to access the Electoral Commission’s servers, which were responsible for hosting the agency’s email, control systems, and copies of electoral registers. However, details concerning donations and loans to registered political entities and independent campaigners were unaffected, as these were maintained on a distinct system. Furthermore, information pertaining to anonymous voters or overseas electors registered outside of the UK was not held by the agency.
The exposed data consisted of the names and addresses of UK residents who had registered to vote between the years 2014 and 2022, in addition to registered overseas voters. Information submitted to the commission via email and web forms was also compromised.
The commission stated, “We know that this data was accessible, but we have been unable to ascertain whether the attackers read or copied personal data held on our systems.” The agency also verified to TechCrunch that the breach could have potentially impacted around 40 million voters. This figure is significant when compared to the 46.6 million parliamentary and 48.8 million local government electoral registrations recorded in December 2021.
Prior to revealing the breach, the Electoral Commission undertook several actions. These included shutting out the infiltrators, examining the potential extent of the breach, and implementing additional security measures to prevent future similar occurrences.
Although the information within the electoral registers is restricted and much of it is publicly accessible, the agency expressed that the data alone does not pose a substantial threat to individuals. Nevertheless, it cautioned that the information might be amalgamated with other publicly available data to deduce behavioral patterns or to identify and create profiles of individuals.
The commission emphasized that the attack did not influence the security of the UK’s elections. It pointed out that the compromised data has no bearing on how individuals register, vote, or engage in democratic processes, and does not affect the administration of electoral registers or the conduct of elections. The dispersed nature of the UK’s democratic process and the reliance on paper documents and manual counting make it extremely challenging to utilize a cyber-attack to sway the process.
Frequently Asked Questions (FAQs) about cyberattack
What personal information was exposed in the UK Electoral Commission’s cyberattack?
The personal data of approximately 40 million voters was exposed, including names and addresses of UK residents who registered to vote between 2014 and 2022, as well as those registered as overseas voters. Information submitted to the commission through email and web forms was also exposed.
When did the Electoral Commission first detect the cyberattack?
The UK’s Electoral Commission first detected suspicious activity on its network in October 2022, but the intruders are believed to have first gained access to its systems in August 2021.
Were any details of donations and loans to political parties affected?
No, details of donations and loans to registered political parties and non-party campaigners were not affected, as those were stored on a separate system.
What measures did the Electoral Commission take after discovering the hack?
The Electoral Commission had to lock out the “hostile actors,” analyze the possible extent of the breach, and put more security measures in place to stop a similar situation from happening in the future.
Does the exposed data represent a major risk to individuals?
The agency stated that the data by itself does not represent a major risk to individuals. However, it warned that the information could be combined with other public data to infer patterns of behavior or to identify and profile individuals.
Was the UK’s democratic process impacted by this cyberattack?
No, the Electoral Commission noted that the attack had no impact on how people register, vote, or participate in democratic processes. The dispersed nature of the UK’s democratic system and reliance on paper documentation makes it difficult to influence the process through a cyberattack.