‘Successful’ cyber attack on elections body put details of more than 40 million voters at risk
The Electoral Commission has revealed “hostile actors” managed to hack its systems, accessing registers which contained the addresses and names of tens of millions of voters.
Faye Brown
Political reporter @fayebrownSky
Tuesday 8 August 2023 20:01, UK
Listen to this article
0:00 / 5:32
1X
BeyondWords
Audio created using AI assistance
Ballots are tallied in the Great Hall of Belfast City Hall
Why you can trust Sky News
Details of tens of millions of voters could have been accessed by hackers who targeted the elections watchdog.
The Electoral Commission revealed on Tuesday it was targeted by a cyber attack which allowed “hostile actors” to access electoral registers.
They apologised for the breach but said there was little risk it could influence the outcome of a vote.
Politics latest: Minister defends Lee Anderson’s ‘salty’ comments about migrants
The hack allowed the attackers to access reference copies of electoral registers which contained the name and addresses of anyone registered to vote between 2014 and 2022.
The reference copies, which are held for research purposes and to enable permissibility checks on political donations, also contained details of people registered to vote overseas during this period of time.
The attack was identified in October 2022, but the hackers had first been able to access the commission’s systems in August 2021.
It means the hostile actors went undetected, with access to millions of records, for more than a year.
At the time of the attack in 2021 there were 43 million people on the electoral register in England and Wales.
The Electoral Commission said the data for most of these people would have been publicly accessible anyway because they are on the open register.
But almost 28 million people opted out of the open register that year, according to a Sky News analysis.
Read more:
Russia-linked cyber attack groups want to ‘destroy’ UK
Domestic abuse victims ‘detected by perpetrators’ through Netflix account
Shaun McNally, the Electoral Commission’s chief executive, said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.
“This means it would be very hard to use a cyber attack to influence the process.
“Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.”
A spokesperson for the National Cyber Security Centre said they provided the commission with “expert advice and support to aid their recovery” after the incident was first identified.
They added: “Defending the UK’s democratic processes is a priority for the NCSC and we provide a range of guidance to help strengthen the cyber resilience of our electoral systems.”
Mr McNally said significant measures had been taken to improve security on the commission’s IT systems.
He said while it is known which systems were accessible to the “hostile actors,” they are “not able to know conclusively what files may or may not have been accessed”.
“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”
The register for each year holds the details of around 40 million individuals, although this includes people on the open registers whose information is already in the public domain.
The registers accessed by hackers did not include the details of those registered anonymously.
MORE THAN 27 MILLION PEOPLE WHO NEVER WANTED DATA SHARED PUBLICLY FACE FALLOUT FROM HACK
Tom Cheshire
Tom Cheshire
Data and Forensics correspondent
@chesh
The Electoral Commission has pointed out that “the data contained in the electoral registers is limited, and much of it is already in the public domain”.
That’s true for anyone on the open register. Their names and home addresses are publicly available.
But those who opted out of the open register – who chose not to share their personal data publicly – are also potential victims.
And there are lots of them.
According to the ONS, 27,783,078 people opted out in England and Wales in 2021, the year that the hackers had access to the Commission’s systems.
That’s nearly 65% of all those on the register in England and Wales that year.
The majority of voters wanted to participate in the democratic process without making their details public.
But the hackers spent more than a year with access to them and it’s impossible to say what they will do.
And that is a risk, as the Commission acknowledged: “It is possible however that this data could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behaviour or to identify and profile individuals.”
Angela Rayner MP, Labour’s Deputy Leader and the Shadow Chancellor of the Duchy of Lancaster, said: “This deeply concerning attack serves as a reminder of the critical importance of Britain’s resilience to cyber attacks.
“Our democracy is a foundation of our society and every effort must be made to protect it.
“This serious incident must be fully and thoroughly investigated so lessons can be learned.”
The Information Commissioner’s Office said it would be making enquiries.
“We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.
“In the meantime, if anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support.”
