Electoral Commission cyber attack leaks data of all UK voters since 2014

The UK Electoral Commission has been the subject of a serious and complex cyber-attack.

Hackers have stolen data on around 40 million voters, including information from both public and private electoral registers, which contain the names and addresses of voters. Emails were also taken in the hack.

In a detailed and extensive statement, the commission disclosed that hostile actors accessed their systems between August 2021 and October 2022, gaining entry to sensitive information, including personal data of voters registered between 2014 and 2022

What Happened?

Suspicious activity detected on the commission’s systems in October 2022 led to the discovery of the breach. Upon investigation, it became clear that unauthorized access had first occurred in August 2021.

Voters have been reassured a data leak “has not had an impact on the electoral process, has not affected the rights or access to the democratic process of any individual, nor has it affected anyone’s electoral registration status”. ‌​‌​‌​​​‍‌​‌​​‌‌‌‍‌​‌‌​​‌​‍‌​‌‌‌​‌‌‍‌​‌‌‌‌​​The exact identity of the perpetrators remains unknown, and no group or individual has claimed responsibility.

What Data Was Accessed?

The accessed data includes names, addresses, email addresses, and contact numbers. Specific details such as gender, sexuality, medical conditions, or personal financial details are unlikely to present a high risk, unless sent via email or a web form.

Data on the open register, which is already publicly available, was accessible, but the Electoral Commission assured that the information affected “does not pose a high risk to individuals.”

Full list of personal data affected by this incident: ‌​‌​‌​​​‍‌​‌​​‌‌‌‍‌​‌‌​​‌​‍‌​‌‌‌​‌‌‍‌​‌‌‌‌​​

• Personal data contained in email system of the Commission:
  • Name, first name and surname.
  • Email addresses (personal and/or business).
  • Home address if included in a webform or email.
  • Contact telephone number (personal and/or business).
  • Content of the webform and email that may contain personal data.
  • Any personal images sent to the Commission.
• Personal data contained in Electoral Register entries:
  • Name, first name and surname
  • Home address in register entries
  • Date on which a person achieves voting age that year.

Official Responses

In an official statement, the Electoral Commission said, “We understand the concern this attack may cause and apologise to those affected. Since the attack was discovered, we have worked with security specialists to investigate the incident and have taken action to secure our systems and reduce the risk of future attacks.”

A spokesperson for the ICO, the UK’s independent regulator on data protection, also confirmed their investigation into the matter, stating, “We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.”

Reassurance for the Public

The Electoral Commission has taken pains to reassure voters that the cyber attack has not impacted the electoral process, affected the democratic rights of individuals, or changed anyone’s electoral registration status.

They also noted that the information leaked in this incident is not deemed to present a high risk to those affected.

The Commission has urged those who registered to vote between 2014 and 2022 to remain vigilant for unauthorized use of their personal data and has provided channels for those concerned to contact their data protection officer.

A Complex Issue

This incident underlines the growing challenges in maintaining data security in a digital age. The combination of political sensitivity and the sheer volume of personal data potentially viewed or removed during the attack adds an additional layer of complexity to an already serious incident.

While investigations continue, the full implications of this breach may yet unfold. However, the quick action by the Electoral Commission to secure systems and keep the public informed provides some assurance to a public increasingly concerned about cyber security and privacy.