UK Electoral Commission suffers years-long cyber attack

UK election watchdog, The Electoral Commission (TEC), has been the victim of a “complex” cyber attack which has potentially exposed the data of more than 40 million voters.

News of the cyber attack was published in an FAQ on the commission’s website on August 8. In the post, TEC explained that the cyber attack was discovered in October 2022 after suspicious activity was detected on its systems. 

During the cyber attack, malicious actors were able to access TEC’s file sharing and email systems, meaning the data that was “most likely accessible” includes names, addresses, email addresses, and any other personal data sent to The Electoral Commission via email or held on the electoral registers for all those registered to vote in the UK between 2014 to 2022, as well as the names of those registered to vote overseas. This amounts to as many as 40 million voters.

TEC said it was unable to ascertain if the data accessible during the cyber attack had been copied or otherwise stolen from its systems. 

The watchdog explained that it worked with the National Cyber Security Center (NCSC) as well as external cyber security experts in order to secure its systems following the cyber security incident.

Regarding the attack, The Electoral Commission said that it “regret[s] that sufficient protections were not in place to prevent this cyber attack and apologize to those affected”.

While TEC said that the data accessed by the malicious actors was “limited” and “already in the public domain”. The commission noted that, according to the Information Commissioner Office’s data breach risk assessment, the data held by the electoral register “does not in itself present a high risk to individuals”. TEC did also say, however, that the data accessed “could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behavior or to identify and profile individuals”. 

TEC explained that they were unaware of who committed the cyber attack, and no individuals or groups have yet claimed responsibility for the attack.