Sufficient protections were not in place to prevent a data breach at the Electoral Commission which saw intruders access its email system and database containing personal details of all voters registered between 2014 and 2022.
The UK’s elections regulator has revealed it was the victim of a cyberattack in which intruders went undetected for more than a year, during which time they accessed the watchdog’s email system and personal data contained on the electoral register.
The Electoral Commission expressed its “regret that sufficient protections were not in place to prevent this cyberattack” and indicated that, working with its security providers and experts from the National Cyber Security Centre, it has taken steps since the breach to improve its security systems and processes.
“We have strengthened our network login requirements, improved the monitoring and alert system for active threats and reviewed and updated our firewall policies,” it said.
The Electoral Commission said it detected the attack in October 2022, having been alerted by “a suspicious pattern of log-in requests to our systems”. The investigation that followed revealed that attackers had first gained access to the organisation’s servers in August 2021 – 14 months before their presence was detected.
During this time, intruders accessed the commission’s email system, where personal data including names, contact details, and images was breached – as well any sensitive information that may have featured in messages or forms.
Attackers also gained entry to electoral registration databases containing the name, address – and in some cases birth date – of everyone who was registered to vote in the UK from 2014 to 2022. Also accessed were the names of everyone registered as an overseas voter.
In a statement, the commission advised citizens that: “According to the risk assessment used by the Information Commissioner’s Office to assess the harm of data breaches, the personal data held on the electoral registers – typically name and address – does not in itself present a high risk to individuals. It is possible, however, that this data could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behaviour or to identify and profile individuals.”
It added: “The personal data held on the commission’s email servers is also unlikely to present a high risk to individuals unless someone has sent us sensitive or personal information in the body of an email, as an attachment or via a form on our website. Such information may include medical conditions, gender, sexuality, or personal financial details. Information related to donations and/or loans to registered political parties and non-party campaigners is held in a system not affected by this incident.”
The watchdog also addressed the issue of why it has not publicly announced until now – 10 months after the attack was detected – that citizens’ personal data may have been compromised.
“There were several steps that we needed to take before we could make the incident public,” it said. “We needed to remove the actors and their access to our system. We had to assess the extent of the incident to understand who might be impacted and liaise with the National Cyber Security Centre and the Information Commissioner’s Office. We also needed to put additional security measures in place to prevent any similar attacks from taking place in the future.”
A spokesperson for the ICO said: “The Electoral Commission has contacted us regarding this incident and we are currently making enquiries. We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency. In the meantime, if anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support.”
Alongside the statement announcing the attack, the commission has also published an FAQ document and created an online form for anyone to wishes to submit a complaint about the, or exercise their rights under Freedom of Information laws to request the provision or deletion of data.