The watchdog of UK elections has revealed that it has been the victim of a cyberattack.
Saying that it could potentially affect millions of voters.
Electoral Commission said “hostile actors” managed to access copies of the electoral registers from August of 2021.
Hackers had also broken into emails and “control systems” however, the attack was not uncovered until October of 2022.
The watchdog has issued a warning for people to watch out for unauthorised use of their data.
The commission released a public notice which says the hackers gained access to copies of the registers. (Public notification of cyber-attack on Electoral Commission systems | Electoral Commission)
These registers were being held for research purposes and running checks on political donors.
The Chief Executive Officer of the Electoral Commission, Shaun McNally, said the commission did know which of the systems were accessible to hackers.
However, they couldn’t “conclusively” identify which files the hackers may have viewed or stolen.
The watchdog also said that the information it held at the time of the cyberattack included items like names and addresses of people (in the UK) who registered to vote between 2014 and 2022.
This means that those who opted to keep their details off the open register, which isn’t accessible to the public but can be bought, are also at risk after the attack.
Data that the hackers gained access to also had names, not addresses, of overseas voters.
The watchdog has said that data from those who registered anonymously wasn’t accessed.
The commission estimates the register for each year contains details of around 40 million people, but they say it is difficult to say how many people could be affected.
Personal details on the registers didn’t present a “high risk” to individuals.
However, it is possible it could be used alongside other public information to “identify and profile individuals”.
The commission hasn’t said when the hackers were kicked out of their systems.
They did say the systems were secured as soon as possible after they identified the attack in October last year.
When explaining why it didn’t publicly announce the attack until now, the commission said it needed to ensure the hackers no longer had access first.
They also said they needed to investigate the extent of the attack and add further security measures.
Commission chair John Pullinger said in defence of the delay, “If you go public on a vulnerability before you sealed it off, then you are risking more vulnerabilities.”
He also said the “very sophisticated” attack saw the use of “software to try and get in and evade our systems”.
Pullinger added that the hackers were unable to make any changes to the information on the registers which are maintained by registration officers all over the country.
In the notice, the commission said information on donations and loans to political parties and registered campaigners is held in a different system that was not affected by the attack.
Shaun McNally said he understands the public concern and wishes to apologise to everyone affected.
The commission has said it had taken action to ensure the security of its systems by updating the login requirements and updating the alert system and its firewall policies.
The Information Commissioner’s Office which oversees the UK’s data protection, said it was investigating this urgently.
Angela Rayner, Labour’s Deputy Leader has said “This serious incident must be fully and thoroughly investigated so lessons can be learned.”
Although the commission says this attack didn’t impact elections or anyone’s registration status, it is still a grave breach.
It doesn’t seem like the hackers are trying to make money from this attack as they had access to the electoral registers on August 2 years ago.
The attack was a long-played-out and skilled project.
It may be that the hackers were looking to gain access to these registers to understand more about the UK’s democratic processes in search of vulnerabilities.
The Electoral Commission has not said who is behind the attack if they do know who it was.
We always keep updated with the latest technology and cybersecurity news, if your business needs help with cybersecurity, contact our team.
Itek provides IT solutions for your entire IT infrastructure. Your business can experience a cost-effective service at a predictable fixed rate, removing the burden from you and your team and freeing you to focus on your goals.