Millions of UK voters’ data accessible in cyber-attack

Confidence in the UK’s electoral regulator has been thrown into question after it emerged a hostile cyber-attack accessing the data of 40 million voters went undetected for a year and the public was not told for another 10 months.

The Electoral Commission apologised for the security breach in which the names and addresses of all voters registered between 2014 and 2022 were open to “hostile actors” as far back as August 2021.

The attack was discovered last October and reported within 72 hours to the Information Commissioner’s Office (ICO), as well as the National Crime Agency. However, the public has only now been informed that the electoral registers containing the data of millions of voters may have been accessible throughout that time.

The Electoral Commission said it was “not able to know conclusively” what information had been accessed. It is not known whether the attackers were linked to a hostile state, such as Russia, or a criminal cyber gang.

The watchdog said “much of the data” was already in the public domain and insisted it would be difficult for anyone to influence the outcome of the UK’s largely paper-based electoral system, but it acknowledged that voters would still be concerned.

A former GCHQ director, David Omand, told BBC Radio 4’s PM that Russia was “first on my list of suspects”, while Sir Richard Dearlove, the former head of MI6, told the Daily Telegraph that the Kremlin would “be at the top of the suspects list by a mile”.

The attackers were able to access full copies of the electoral registers, held by the commission for research purposes and to enable permissibility checks on political donations. These registers include the name and address of anyone in the UK who was registered to vote between 2014 and 2022. The commission’s email system was also accessible during the attack.

The full register held by the Electoral Commission contains name and address data that can be inspected by the public but only locally through electoral registration officers, with only handwritten notes allowed. The information is not permitted to be used for commercial or marketing purposes.

The data of anonymous voters whose details are private for safety reasons and the addresses of overseas voters were not accessible to the intruders in the IT system.

The attack has already prompted questions about the integrity of the UK’s electoral system, but the National Crime Agency said it was “defending the UK’s democratic processes”, and helping to “strengthen the cyber-resilience of our electoral systems” was a priority.

Prof Alan Woodward, a computer security specialist based at the University of Surrey, said: “The main problem here is the reputational damage to the Electoral Commission and the faith people have in the democratic purpose.

“Though the electoral registers are public, this attack appears to be a deep penetration into the network and the hackers were in for a while before they were spotted. The Electoral Commission is an important part of our democracy, our electoral system is totally based on trust, and this will erode the confidence people have in it.”

Andrew Rose, the chief information security officer for Europe at Proofpoint, a US cybersecurity company, said it was “no surprise to see a competent, stealthy threat actor seeking to assess, and potentially undermine, our voting records and process”, given the “fragility of democracy”.

“Today’s news that the UK Electoral Commission has exposed millions of voters’ data is an important cybersecurity breach that, if truth be told, we should have been expecting,” he said. “We are fortunate that the UK’s Electoral Commission says this ‘did not have an impact on any elections, or anyone’s registration status’. That being said, this is still incredibly serious as undermining the democratic process could lead to uncontrolled and catastrophic societal change.”

He added: “While we cannot be certain of their motive, what they learned, or what the attacker was truly seeking, in this instance, the attackers had access to the electoral systems for a number of months indicating they were in search of something other than quick financial gain, which is the most common motive of attacks. The longer an attacker stays undetected in a network – the more damage they can do.”

Shaun McNally, the chief executive of the Electoral Commission, said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.

“This means it would be very hard to use a cyber-attack to influence the process. Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.”

After questions about why details of the hack took so long to be made public, the commission said it needed to “remove the actors and their access to our system, assess the extent of the incident, liaise with the National Cyber Security Centre and ICO, and put additional security measures in place before we could make the incident public”.

It said the attack had “used a sophisticated infiltration method, intended to evade our checks”, which was why it had taken so long to detect.

McNally said: “We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it, we have taken significant steps with the support of specialists to improve the security, resilience and reliability of our IT systems.

“We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed. While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”

A spokesperson for the ICO, the UK’s independent regulator on data protection, said: “The Electoral Commission has contacted us regarding this incident and we are currently making inquiries.

“We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency. In the meantime, if anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support.”