‘Hostile actors’ hacked UK electoral register, accessed ‘high volume’ of data

Hackers accessed personal information on people registered to vote in the United Kingdom in a yearlong breach, according to an announcement on Tuesday by the country's Electoral Commission — the independent agency that oversees voting eligibility as well as political parties' election financing.

According to the agency's statement, “hostile actors” first accessed its internal systems in August 2021 and were not discovered until October 2022.

It said it was issuing a notification about the incident due to “the high volume of personal data potentially viewed or removed” during the cyberattack.

It did not identify whether the attackers appeared to be gathering intelligence or were financially motivated, either seeking to directly monetise their access to the Commission’s systems or potentially using the information on voters in an attempt to defraud members of the public.

The agency said that during the cyberattack “the perpetrators had access to the Commission’s servers which held our email, our control systems, and copies of the electoral registers.”

The copies of the electoral registers that the attackers accessed were used “for research purposes and to enable permissibility checks on political donations,” said the Electoral Commission.

The data potentially copied by the attackers includes “the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.” The agency did not provide a numerical figure for the number of people affected.

“We understand the concern this attack may cause and apologise to those affected. Since the attack was discovered, we have worked with security specialists to investigate the incident and have taken action to secure our systems and reduce the risk of future attacks,” the agency said.

A spokesperson for the National Cyber Security Centre (NCSC) told Recorded Future News: “We provided the Electoral Commission with expert advice and support to aid their recovery after a cyber incident was first identified.

“Defending the UK’s democratic processes is a priority for the NCSC and we provide a range of guidance to help strengthen the cyber resilience of our electoral systems.”

The Commission argued that the breach of people's personal information did not “present a high risk to individuals” although it acknowledged: “It is possible however that this data could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behaviour or to identify and profile individuals.”

Under Britain's data protection laws, organizations are obliged to notify the public “without undue delay” in the case of a sufficiently serious breach. The Commission said it discovered the incident in October 2022, nine months ago.

“Failing to notify a breach when required to do so can result in a significant fine up to £8.7m or 2% of your global turnover,” explains guidance published by the Information Commissioner's Office (ICO), which regulates data protection in Britain.

“The attack has not had an impact on the electoral process, has not affected the rights or access to the democratic process of any individual, nor has it affected anyone’s electoral registration status,” added the Commission.

A spokesperson for the ICO told Recorded Future News that the regulator was making enquiries about the incident: “We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.”