UK voter data hacked in cyber attack on election watchdog

The UK’s Electoral Commission has fallen victim to a major cyber incident that saw electoral registers containing the personal data of millions of voters accessed by an as-yet undisclosed threat actor.

The election watchdog said the attacker first accessed its systems in August 2021 but was able to avoid detection for over 12 months, before the body identified suspicious activity on its network in October 2022.

It said the perpetrator accessed servers that held its email, control systems and electoral registers. They were able to obtain reference copies of the electoral registers held by the commission for research purposes and to conduct checks on political donors.

These registers included the names and addresses of everybody in the UK who registered to vote between 2014 and 2022, including those who opted to keep their details off the open register and the names of registered overseas voters. People who qualified to be registered anonymously for safety or security reasons are understood to be unaffected.

“The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting,” said Electoral Commission chief executive Shaun McNally.

“This means it would be very hard to use a cyber attack to influence the process. Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.

“The successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections”

“We regret that sufficient protections were not in place to prevent this cyber attack. Since identifying it, we have taken significant steps, with the support of specialists, to improve the security, resilience and reliability of our IT systems.

“We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed.

“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”

The body added that the data contained in the registers was not amended or changed in any way during the cyber attack, and there has been no impact on anybody’s registration status or right to vote resulting from it.

Nevertheless, it is possible that the purloined data could be combined with other data in the public domain or taken from other leaks, to conduct downstream cyber attacks, including phishing and fraud attempts, against individuals.

According to the Electoral Commission, the data accessed via its email servers is similarly unlikely to pose a serious risk to individuals unless they had disclosed sensitive or personal information in the body of an email or sent it as an attachment.

It advised that no immediate action needs to be taken, but that anybody who contacted the commission via email or who was registered to vote between 2014 and 2022 should be on the alert for potential misuse of their data.

Members of the public can contact the Electoral Commission to make a Subject Access Request under the General Data Protection Regulation (GDPR), request their data be erased, make a Freedom of Information (FoI) request, or complaint, using the linked form.