UK voters exposed to cyber-attack after Electoral Commission is hacked by ‘hostile actors’
Tens of millions of UK voters’ details have been exposed to hostile actors as the Electoral Commission admits it has been hit by a cyber-attack.
The commission said the attack was first identified in October last year and it has worked with security experts and the National Cyber Security Centre, which provided expert advice to strengthen its cyber resilience.
Shaun McNally, the Electoral Commission Chief Executive, has apologised to voters over the lack of sufficient protections to prevent the cyber-attack.
The hostile actors had first accessed the systems in August 2021, the Electoral Commission said.
It did not provide further detail on the identity or motives of those behind it.
As part of the attack, those responsible were able to access reference copies of the electoral registers, that included the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.
The registers are held by the Commission for research purposes and to enable permissibility checks on political donations.
Its email system was also accessible during the attack.
The elections watchdog has not been able to determine conclusively what files may or may not have been accessed, but details of those registered anonymously were not included in registers.
It is understood there was little risk of the outcome of a vote being influenced as a result of the breach.
In a statement published on social media, the Commission said: “Hostile actors were active in our systems and had access to servers which held our email, control systems, and copies of the electoral registers. We have since worked with external security experts and the National Cyber Security Centre to investigate and secure our systems.”
Mr McNally said it would be very hard to use a cyber-attack to influence the UK’s democratic process as it is significantly dispersed and key aspects remain based on paper documentation and counting.
He added: “Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.
“We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems.”
An investigation into the data breach is being carried out by the Information Commissioner’s Office (ICO), which was notified within 72 hours of the cyber-attack being identified.
A spokesman for the ICO said: “The Electoral Commission has contacted us regarding this incident and we are currently making inquiries.
“We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.
“In the meantime, if anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support.”
This story is being updated
