The personal information of approximately 40 million U.K. voters was exposed to hackers for more than a year after the Electoral Commission fell victim to a “complex cyberattack.”
The Electoral Commission, the watchdog responsible for overseeing elections in the U.K., said in a statement on Tuesday that it first identified suspicious activity on its network in October 2022, but later confirmed that unnamed “hostile actors” had first accessed its systems over a year earlier in August 2021.
When asked by TechCrunch why the organization has only just notified those impacted, Electoral Commission spokesperson Andreea Ghita said there were “several steps” that the Commission needed to take before it could make the incident public.
“We needed to remove the actors and their access to our system. We had to assess the extent of the incident to understand who might be impacted and liaise with the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO). We also needed to put additional security measures in place to prevent any similar attacks from taking place in the future,” the spokesperson said.
These measures include strengthening its network login requirements, improving its threat monitoring capabilities and updating its firewall policies, according to an FAQ published by the Electoral Commission.
The Electoral Commission’s spokesperson told TechCrunch that the incident, which saw hackers access the Commission’s email, control systems, and copies of the electoral registers, may have affected as many as 40 million U.K. voters. This includes anyone who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.
‘No impact’ to U.K. election security
While the Electoral Commission has been unable to ascertain whether the attackers exfiltrated data held on its systems, it says that data potentially impacted includes U.K. citizens’ full names, email addresses, home addresses, phone numbers, any personal images sent to the Commission, and any details provided via email or online contact forms.
The watchdog notes that while much of this information is already in the public domain, it could be combined with other data to infer patterns of behavior or to identify and profile individuals.
The Electoral Commission added that there has been “no impact” on the security of U.K. elections.
“The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting,” the Commission states. “This means it would be very hard to use a cyberattack to influence the process.”
It’s not yet known who was behind the attack. The Electoral Commission said “we do not know who is responsible for the attack,” and the NCSC declined to answer when asked by TechCrunch.
“We provided the Electoral Commission with expert advice and support to aid their recovery after a cyber incident was first identified,” the NCSC spokesperson said, who declined to provide their name. “Defending the UK’s democratic processes is a priority for the NCSC and we provide a range of guidance to help strengthen the cyber resilience of our electoral systems.”
When reached for comment, ICO spokesperson James Huyton confirmed the Electoral Commission notified the data protection agency of the breach, but declined to say why there was a nine-month delay in public disclosure.
Do you work at the Electoral Commission? Do you have more information about the cyberattack? You can contact Carly Page securely on Signal at +441536 853968, or by email. You can also contact TechCrunch via SecureDrop.