The UK’s Electoral Commission today announced it suffered a cyberattack in August 2021, with attackers gaining access to registers that contained the names and addresses of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.
In a statement issued by the Electoral Commission via its website, the election watchdog said that although attackers first gained access to electoral registers and the commission’s email system in August, the hack wasn’t identified until October 2022, when the electoral body became aware of a suspicious pattern of log-in requests being made to its systems.
The commission said while it is “not able to know conclusively” what information had been accessed, the personal data most likely to have been accessible includes names, addresses, email addresses, and any other personal data sent to the commission by email or held on the electoral registers. Due to large parts of the UK’s electoral system still being paper based, however, “it would be very hard to use a cyber-attack to influence the [electoral] process.” The Commission also sought reassure those that might have been affected by the breach by noting that the hack will not impact an individual’s ability to take part in the democratic process or affect their current registration status or eligibility to vote.
“We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems,” Shaun McNally, the Electoral Commission chief executive, said in a statement.
In line with requirements under the law, McNally said the Electoral Commission notified the Information Commissioner’s Office (ICO) within 72 hours of identifying the breach and the ICO is currently investigating the incident.
“The Electoral Commission has contacted us regarding this incident and we are currently making enquiries,” a spokesperson for the ICO said in a statement. “We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.”