Hostile actors gain access to electoral registers, the organisation’s email system and other information for more than a year.
The attackers first gained access to supposedly secure systems in August 2021 but suspicions weren’t raised until October 2022. The Electoral Commission worked with external security experts and the National Cyber Security Centre to investigate the issue and secure its systems and formally announced the breach this week.
As per the law, the commission notified the Information Commissioner’s Office (ICO) within 72 hours of identifying that data on its systems may have been accessed. The ICO is continuing to investigate the matter.
To improve security, the commission has now updated log-in requirements, alert system and firewall. But there remain serious questions to answer about how attackers remained undetected for so long.
The material accessed included reference copies of the electoral registers including the names and addresses of everyone in the UK registered to vote between 2014 and 2022, and some details of those registered overseas – in total, an estimated 40m people. The commission’s email system was also accessed.
The data accessed did not include those people registered anonymously. Nor was information held on donations and loans to political parties and registered campaigners.
The data accessed is not considered to be high-risk but could potentially be used with other public data to enable the identification and profiling on individuals.
The hackers were not able to change or delete information held on the electoral registers. Indeed, the Electoral Commission does not compile or maintain the information on registers. That is down by the Electoral Registration Officers in each local authority area. But several organisations, including the Electoral Commission, are allowed to take copies of this information to fulfil their duties in the democratic process.
Shaun McNally, Chief Executive of the Electoral Commission Chief Executive, says: ‘The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting. This means it would be very hard to use a cyber-attack to influence the process. Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.
‘We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems.’
‘We know which systems were accessible to the hostile actors but are not able to know conclusively what files may or may not have been accessed. While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.’
The Information Commissioner’s Office issued the following statement: ‘The Electoral Commission has contacted us regarding this incident and we are currently making enquiries. We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.
‘In the meantime, if anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support.’
In related news:
Stricter thresholds for reporting network and information systems incidents
NCSC warns of increased threats to critical national infrastructure
Leave a Reply