Warning for anyone registered to vote after 2014 following UK cyber attack

The Electoral Commission has revealed it was subject to a complex cyber-attack – but does not know what data was accessed, or who was behind the hack.

Hostile actors first gained access to the regulator’s systems in August 2021, but were only discovered in October last year after ‘a suspicious pattern of log-in requests’.

In a statement, the commission revealed hackers were able to access copies of electoral registers, held for research purposes and to enable permissibility checks on political donations.

It added: ‘The registers held at the time of the cyber-attack include the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. The registers did not include the details of those registered anonymously. 

‘The Commission’s email system was also accessible during the attack.’

The Electoral Commission’s chief executive Shaun Mcnally said while the regulator knew which systems were accessible to the hostile actors, they did now know exactly which files had been accessed.

‘While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected,’ said Mr Mcnally.

In a statement, the commission added ‘the personal data most likely to have been accessible includes any names, addresses, email addresses, and any other personal data sent to us by email or held on the electoral registers’.

However, a Q and A about the attack adds that any details provided to us via email or through forms on the website, such as the ‘contact us online’ form, may also have been accessed.

The commission reported the attack to the National Cyber Security Centre, but does still not know who is behind the breach. No one has claimed responsibility for the hack.

However, Mr Mcnally stressed the attack was unlikely to have had any effect on elections that took place during that time, including the May 2022 local elections and the June 2022 Wakefield by-election, triggered by the resignation of Imran Ahmad Khan after he was found guilty of child sexual assault.

‘The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting,’ said Mr Mcnally. ‘This means it would be very hard to use a cyber-attack to influence the process. 

It also provided a number of steps voters can take to check their data.

Professor Alan Woodward, a computer security specialist based at the University of Surrey, warned the main disruption from the cyber-attack would be damage to voters’ confidence, and that voters had little cause to worry.

‘Electoral registers are public domain data,’ he said. ‘I suspect the main problem will be reputational damage. Based on what we know there should be little impact in the short term, but this type of hack tends to erode confidence – and in this case it is confidence in an institution that is important to our democratic processes. 

‘It is the aim of some malicious states to achieve exactly that.’

MORE : Map shows ‘extremely targeted’ Chinese cyber attack on UK and Europe

MORE : In praise of the password – the key to your digital kingdom

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.