The UK’s Electoral Commission is the victim of a “complex cyberattack” that could leave up to 40 million voters’ data exposed, according to an announcement from the organisation earlier today. The commission says that hackers accessed copies of the registers it was holding for research purposes and to cross-reference the details of political donors. Cybercriminals were in the system from August 2021, but the hack wasn’t noticed until October last year and has only now been declared.

The Electoral Commission is the UK's election watchdog. Data stolen included public and private voter registers (Photo: chrisdorney / Shutterstock)
The Electoral Commission is the UK’s election watchdog. Data stolen included public and private voter registers. (Photo by Chris Dorney/Shutterstock)

Over the course of the year the hackers were in the system they also had access to the servers holding emails, control systems and electoral register copies. Information stolen by hackers includes the names and addresses of people in the UK registered to vote between 2014 and 2022. This includes those who opted to keep their details off the open register and so aren’t otherwise available to the public.

While the electoral register information is “unlikely to be high risk” on its own, there is a risk of it being used with other public information such as those shared on social media by the voters themselves. This, says the watchdog, could be used “to infer patterns of behaviour or to identify and profile individuals.”

In addition to the public registers and private registers, the watchdog warns that some of the content in the body and attachments on the email server could hold data considered high risk. These could include “sensitive or personal information in the body of an email, as an attachment or via a form on our website, such information may include medical conditions, gender, sexuality, or personal financial details.”

They were also able to access copies of the electoral register used by the Electoral Commission for researching political donations and ensuring they are appropriate and permissible, although details of bank accounts, loan amounts or financial data were held in systems not accessed by the hackers.

No hacking groups have come forward to claim responsibility and the Electoral Commission hasn’t named anybody or any group. Chief executive Shaun McNally told the BBC they could not conclusively determine which files have been accessed and apologised to anyone affected.

“We understand the concern this attack may cause and apologise to those affected,” the watchdog wrote in a blog post. “Since the attack was discovered, we have worked with security specialists to investigate the incident and have taken action to secure our systems and reduce the risk of future attacks.”

No impact on electoral process

The attack has had “no impact on the electoral process” according to the commission. It hasn’t affected the rights or access to the democratic process for individuals or changed anyone’s electoral registration status. In a post on social media site X (formally Twitter), the commission wrote: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting. This means it would be very hard to use a cyber-attack to influence the process.”

The most concerning aspect was the future impact this data could have, says Matt Aldridge, principal solutions consultant at OpenText Cybersecurity, adding that it could be used to fuel future cyberattacks and other types of fraud. “Also,” said Aldridge, “if a nation-state actor was at work here, this data could be used to boost any influence campaigns they are running against UK targets, in an effort to support that nation’s competitive agenda.”

“My message to voters who may have been affected is to remain vigilant for future scam messages or other communications that may use your name and address to purport legitimacy, and to react with appropriate suspicion,” says Aldridge. “Staying alert and not clicking on suspicious links or providing personal details, whether financial or password related, is the best way to stay protected from all types of phishing emails.”

Chris Cooper, a member of the ISACA Emerging Trends Working Group, says the fact it took so long to be detected is part of a worrying trend in cybersecurity. “Criminals could be active in a network undetected for many months before they attack,” he says.

“Organisations need to detect cyberattacks before they happen rather than act when it’s too late, or they risk reducing consumer trust and damaging their reputation,” adds Cooper. “Businesses need to be recruiting skilled staff and investing in training their workforce in cyber protection. But this shouldn’t be limited to the Cybersecurity Department – every employee within the business needs to be aware of potential cyber risks and know how to protect the organisation.”

Read more: UK National Risk Register highights AI and cybersecurity threats