- UK’s Electoral Commission discloses major cyber attack exposing millions of voters’ data.
- The data Breach occurred in August 2021, detected in October 2022, compromising internal systems.
- Hostile actors accessed servers, compromising emails, control systems, and electoral registers.
- Commission expresses regret and collaborates with cybersecurity experts to investigate.
- Incident raises global concerns about democratic process security and election interference.
Britain’s Electoral Commission, responsible for overseeing elections and regulating political finance, has revealed details of a major cyber attack that left millions of UK voters exposed to hostile actors for over a year.
The data breach, characterized as a “complex cyber incident,” first occurred in August 2021 but was only detected in October 2022. Hostile actors gained access to the Commission’s servers, compromising internal emails, control systems, and copies of electoral registers, potentially putting personal data at risk.
The Commission, acknowledging the data breach and its implications, expressed regret over the security lapse. Shaun McNally, the Chief Executive of the Electoral Commission, admitted that while they know which systems were accessed, it’s impossible to definitively determine what files were accessed or manipulated. He reassured, however, that due to the largely paper-based nature of the UK’s elections, it would be challenging for hackers to influence the outcome of a vote directly.
The compromised electoral registers contained information from 2014 to 2022, including the names and addresses of voters, both domestic and overseas. While the Commission acknowledged that much of this data was already publicly available, it emphasized that the potential exposure was a cause for concern and apologized to the affected individuals.
“The registers did not include the details of those registered anonymously. The Commission’s email system was also accessible during the attack,” McNally said in a statement.
Commenting on the issue, Mr. Tom Hamersley, Senior Solutions Architect at HackerOne, told Hackread.com, “A breach on the Electoral Commission sounds critical and important, and the news is getting a lot of attention. However, looking at the incident more closely, the fact it was identified in October 2022 and is only being reported now, suggests the impact wasn’t critical.”
“This is also illustrated by the fact the PII breach was limited, with most of the information already being in the public domain, and the breach has not affected the rights or access to the democratic process or affected electoral registration status.”
Mr. Hamersley showed his concern for future cyber attacks aimed at the UK Electoral Commission and other critical infrastructure in the country. “I’m more concerned that the measures they’ve stated as having taken to prevent future attacks look reactive and basic,” he added.
“While they are increasing their overall alerting to suspicious login activity, it doesn’t suggest an improvement in the overall security maturity of their electoral assets and whether or not they will undergo sufficient automated and human testing.”
“Many other government agencies, including the NCSC, already take an advanced approach to security testing and engage with the ethical hacking community to report any potential vulnerabilities,” Mr. Hamersley said.
The incident has raised broader concerns about the security of democratic processes globally. Electoral security has become a key issue following instances of interference in elections, such as Russia’s alleged involvement in the 2016 U.S. presidential election.
In response to the attack, the Electoral Commission has collaborated with the UK’s National Cyber Security Centre (NCSC) and external experts to investigate the data breach. The Commission has also taken steps to improve the security, resilience, and reliability of its IT systems, aiming to prevent future cyber incidents that could potentially compromise the democratic process.