Millions of UK voters’ data accessible in cyber-attack, says Electoral Commission – The Guardian

The data of millions of voters was accessible to hackers in a cyber-attack by “hostile actors” discovered almost a year ago, the Electoral Commission has admitted.

The watchdog apologised for the security breach in which the names and addresses of millions of voters were accessible to hackers as far back as 2021. It was discovered in October last year and reported it to the Information Commissioner’s Office (ICO), as well as the National Crime Agency.

However, the public has only now been informed that electoral registers containing the data of millions of voters may have been accessible to the unknown hackers.

The Electoral Commission said it was “not able to know conclusively” what information had been accessed but said the largely paper-based process of elections meant it would be very hard for hackers to influence the outcome of a vote. It said “much of the data” was already in the public domain, but acknowledged that voters would still be concerned.

Shaun McNally, the chief executive of the Electoral Commission, said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.

“This means it would be very hard to use a cyber-attack to influence the process. Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.”

After questions about why details of the hack took so long to be made public, the commission said it needed to “remove the actors and their access to our system, assess the extent of the incident, liaise with the National Cyber Security Centre and ICO, and put additional security measures in place before we could make the incident public”.

It said the attack had “used a sophisticated infiltration method, intended to evade our checks”, which was why it had taken so long to detect.

The attackers were able to access reference copies of the electoral registers, held by the commission for research purposes and to enable permissibility checks on political donations. These registers include the name and address of anyone in the UK who was registered to vote between 2014 and 2022, and the names of those registered as overseas voters. The commission’s email system was also accessible during the attack.

McNally said: “We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it, we have taken significant steps with the support of specialists to improve the security, resilience and reliability of our IT systems.

“We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed. While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”

A spokesperson for the ICO, the UK’s independent regulator on data protection, said: “The Electoral Commission has contacted us regarding this incident and we are currently making inquiries.

“We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency. In the meantime, if anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support.”