The UK’s Electoral Commission has revealed it has been the victim of a “complex cyber-attack,” exposing the personal details of millions of British voters.
The Commission revealed the attack was identified in October 2022 after suspicious activity was detected on its systems. A subsequent investigation found that the attackers had first accessed its servers in August 2021, the Commission reported in a notification published on August 8, 2023.
The malicious actors accessed “reference copies” of the electoral registers, held by the Commission for research purposes and to enable permissibility checks on political donations. This contained personal data of anyone in the UK who was registered to vote between 2014 and 2022, including names and home addresses. The names of those registered as overseas voters were also exposed.
The register did not include information of those registered anonymously.
Jake Moore, cybersecurity advisor at ESET said that it is “worrying” that the attack went undiscovered for 15 months and the authorities were not alerted of any abnormalities on their systems in that time.
“Cyber-criminals work best in stealth mode but rarely are they undetected for this length of time. However complex an attack is, it is saddening to see malicious actors break in and rummage around for so long,” he said.
Questions also arose on social media regarding 10 months for the Commission to inform the public of the incident.
The Commission explained via its official Twitter account: “We needed to remove the actors and their access to our system, assess the extent of the incident, liaise with the National Cyber Security Centre and ICO, and put additional security measures in place before we could make the incident public.”
When asked by one social media user whether the “hostile actor” could potentially influence the next UK General Election, expected in 2024, it stated: “There has been no impact on the security of UK elections. The data accessed does not impact how people register, vote, or participate in democratic processes. It has no impact on the management of the electoral registers or on the running of elections.”
No tags.
