The UK’s elections watchdog has revealed it has been the victim of a “complex cyber-attack” potentially affecting millions of voters. The Electoral Commission said unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. Hackers also broke into its emails and “control systems” but the attack was not discovered until October last year.
The watchdog has warned people to watch out for unauthorized use of their data. In a public notice, the commission said hackers accessed copies of the registers it was holding for research purposes, and for conducting checks on political donors. Chief executive officer Shaun McNally said the commission knew which of its systems were accessible to the hackers, but could not “conclusively” identify which files may have been accessed.
The watchdog said the information it held at the time of the attack included the names and addresses of people in the UK who registered to vote between 2014 and 2022. This includes those who opted to keep their details off the open register – which is not accessible to the public but can be purchased, for example by credit reference agencies. The data accessed also included the names – but not the addresses – of overseas voters, it added. However, the data of people who qualified to register anonymously – for safety or security reasons – was not accessed, the watchdog said. The commission says it is difficult to predict exactly how many people could be affected, but it estimates the register for each year contains the details of around 40 million people.
‘Very sophisticated’ attack
The personal data held on the registers – name and address – did not itself present a “high risk” to individuals, it added, although it is possible it could be combined with other public information to “identify and profile individuals”. It has not said when exactly the hackers’ access to its systems was stopped, but said they were secured as soon as possible after the attack was identified in October 2022. Explaining why it had not made the attack public before now, the commission said it first needed to stop the hackers’ access, examine the extent of the incident and put additional security measures in place. Defending the delay, commission chair John Pullinger said: “If you go public on a vulnerability before you have sealed it off, then you are risking more vulnerabilities.” He said the “very sophisticated” attack involved using “software to try and get in and evade our systems”.
He added that the hackers were not able to alter or delete any information on the electoral registers themselves, which are maintained by registration officers around the country. Information about donations and loans to political parties and registered campaigners is held in a system that is not affected by this incident, the notice added. Mr McNally said he understood public concern, and would like to apologise to those affected. The commission added that it had taken steps to secure its systems against future attacks, including by updating its login requirements, alert system and firewall policies. The Information Commissioner’s Office, which is responsible for data protection in the UK, said it was urgently investigating. On paper, this is about as serious as it gets.
Hackers interfering in elections is one of the biggest fears of the democratic world. Luckily, the commission says in this case the cyber intruders did not have an impact on any elections, or anyone’s registration status. But make no mistake – this is still a serious breach and the nature of the attack is telling. For supporters of the UK’s manual voting system, the attack will bolster the case against using e-voting in future. “Pen and paper can’t be hacked” is often what supporters say when debates about modernisation come about.
The fact the hackers were inside the Electoral Commission Systems from August 2021 indicates this was not a criminal hacking operation looking to make a quick buck through extortion. This was a patient and skilled adversary to have been inside undetected for so long. This operation looks like a probing one seeking out information about the UK’s democratic process to search for weaknesses. The Electoral Commission isn’t saying who it was (if they know).