View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Data on 40 million voters stolen from Electoral Commission

Data stolen by hackers include public and private electoral registers with names and addresses of voters. Emails were also taken in the hack.

By Ryan Morrison

The UK’s Electoral Commission is the victim of a “complex cyberattack” that could leave up to 40 million voters’ data exposed, according to an announcement from the organisation earlier today. The commission says that hackers accessed copies of the registers it was holding for research purposes and to cross-reference the details of political donors. Cybercriminals were in the system from August 2021, but the hack wasn’t noticed until October last year and has only now been declared.

The Electoral Commission is the UK's election watchdog. Data stolen included public and private voter registers (Photo: chrisdorney / Shutterstock)
The Electoral Commission is the UK’s election watchdog. Data stolen included public and private voter registers. (Photo by Chris Dorney/Shutterstock)

Over the course of the year the hackers were in the system they also had access to the servers holding emails, control systems and electoral register copies. Information stolen by hackers includes the names and addresses of people in the UK registered to vote between 2014 and 2022. This includes those who opted to keep their details off the open register and so aren’t otherwise available to the public.

While the electoral register information is “unlikely to be high risk” on its own, there is a risk of it being used with other public information such as those shared on social media by the voters themselves. This, says the watchdog, could be used “to infer patterns of behaviour or to identify and profile individuals.”

In addition to the public registers and private registers, the watchdog warns that some of the content in the body and attachments on the email server could hold data considered high risk. These could include “sensitive or personal information in the body of an email, as an attachment or via a form on our website, such information may include medical conditions, gender, sexuality, or personal financial details.”

They were also able to access copies of the electoral register used by the Electoral Commission for researching political donations and ensuring they are appropriate and permissible, although details of bank accounts, loan amounts or financial data were held in systems not accessed by the hackers.

No hacking groups have come forward to claim responsibility and the Electoral Commission hasn’t named anybody or any group. Chief executive Shaun McNally told the BBC they could not conclusively determine which files have been accessed and apologised to anyone affected.

“We understand the concern this attack may cause and apologise to those affected,” the watchdog wrote in a blog post. “Since the attack was discovered, we have worked with security specialists to investigate the incident and have taken action to secure our systems and reduce the risk of future attacks.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

No impact on electoral process

The attack has had “no impact on the electoral process” according to the commission. It hasn’t affected the rights or access to the democratic process for individuals or changed anyone’s electoral registration status. In a post on social media site X (formally Twitter), the commission wrote: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting. This means it would be very hard to use a cyber-attack to influence the process.”

The most concerning aspect was the future impact this data could have, says Matt Aldridge, principal solutions consultant at OpenText Cybersecurity, adding that it could be used to fuel future cyberattacks and other types of fraud. “Also,” said Aldridge, “if a nation-state actor was at work here, this data could be used to boost any influence campaigns they are running against UK targets, in an effort to support that nation’s competitive agenda.”

“My message to voters who may have been affected is to remain vigilant for future scam messages or other communications that may use your name and address to purport legitimacy, and to react with appropriate suspicion,” says Aldridge. “Staying alert and not clicking on suspicious links or providing personal details, whether financial or password related, is the best way to stay protected from all types of phishing emails.”

Chris Cooper, a member of the ISACA Emerging Trends Working Group, says the fact it took so long to be detected is part of a worrying trend in cybersecurity. “Criminals could be active in a network undetected for many months before they attack,” he says.

“Organisations need to detect cyberattacks before they happen rather than act when it’s too late, or they risk reducing consumer trust and damaging their reputation,” adds Cooper. “Businesses need to be recruiting skilled staff and investing in training their workforce in cyber protection. But this shouldn’t be limited to the Cybersecurity Department – every employee within the business needs to be aware of potential cyber risks and know how to protect the organisation.”

Read more: UK National Risk Register highights AI and cybersecurity threats

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.