On August 8, 2023, Sky News reported that the UK’s Electoral Commission fell victim to a cyber attack, potentially compromising the details of tens of millions of voters. The attack, which occurred in August 2021 but was only identified in October 2022, allowed “hostile actors” to access electoral registers. The breach raised concerns about the security of voter information and the potential impact on democratic processes.
The hackers gained access to reference copies of electoral registers containing the names and addresses of individuals registered to vote between 2014 and 2022. These reference copies are primarily used for research purposes and to verify political donations’ eligibility. The compromised data also included information about voters registered overseas during the specified period.
While there were approximately 43 million people on the electoral register in England and Wales in 2021, nearly 28 million individuals had opted out of the open register, according to analysis by Sky News. This indicates that a substantial number of people may have been affected by the breach.
Shaun McNally, Chief Executive of the Electoral Commission, acknowledged the breach and expressed that the dispersed nature of the UK’s democratic process, along with paper documentation and manual counting, makes it challenging for cyber attacks to significantly impact the election process itself. Despite this, the incident underscores the vulnerability of organizations involved in elections and the need for constant vigilance against such risks.
The National Cyber Security Centre (NCSC) provided expert advice and support to the Electoral Commission following the breach’s discovery. The NCSC highlighted the importance of safeguarding the UK’s democratic processes and offered guidance to enhance the cyber resilience of electoral systems.
McNally stated that substantial security measures had been implemented to bolster the Commission’s IT systems. However, the exact extent of the data accessed by the hackers remains unclear. McNally emphasized that, while much of the data accessed was already in the public domain, the Electoral Commission understands the concerns raised by potential access to voter information and apologized to those affected.
The compromised registers contained data for around 40 million individuals annually. However, this figure includes individuals on the open registers, whose information is already publicly available. The hackers did not gain access to the details of individuals registered anonymously.
The Information Commissioner’s Office (ICO) announced that it would be launching an investigation into the incident. The ICO acknowledged the potential alarm caused by the breach and reassured the public that it was investigating the matter urgently. It encouraged individuals who were concerned about their data’s handling to reach out to the ICO for advice and support.
In an era where cyber-attacks can have far-reaching implications, the breach highlights the ongoing need for robust cybersecurity measures to safeguard critical institutions and the data they hold. The incident serves as a reminder of the evolving threats that organizations face in the digital age and the importance of constant vigilance against cyber risks.