The UK’s elections watchdog has admitted that it was hacked by “hostile actors” who accessed its servers containing copies of electoral registers. The registers held information such as the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as those registered as overseas voters.
How the attack happened?
The Electoral Commission said the attack was first identified in October 2022, but attackers had first accessed its systems in August 2021. It said it had worked with external security experts and the National Cyber Security Centre (NCSC) to investigate and secure its systems. It also notified the Information Commissioner’s Office (ICO), which is responsible for enforcing data protection laws.
The commission said it was “not able to know conclusively” what information had been accessed, but it believed that the attackers were “hostile actors” who were “interested in accessing electoral registers”. It said it had no evidence that any other data, such as financial or staff information, had been compromised.
The commission said it had taken steps to prevent further attacks, such as strengthening its security systems, reviewing its data retention policies, and deleting any unnecessary data. It also said it had contacted all electoral registration officers in the UK to advise them on how to protect their own data.
What the impact could be?
The commission said it was “deeply sorry” for the breach and apologised to anyone who may have been affected. It said it understood that people may be concerned about their personal data and advised them to check their credit reports and bank statements for any suspicious activity.
The commission also said that the largely paper-based process of elections meant it would be very hard for hackers to influence the outcome of a vote. However, it acknowledged that the breach could undermine public confidence in the electoral system and said it was committed to ensuring its security and integrity.
The breach could also have implications for the UK’s data protection regime, which is based on the EU’s General Data Protection Regulation (GDPR). The GDPR requires organisations to report data breaches within 72 hours and imposes hefty fines for failing to protect personal data. The ICO could launch an investigation into the breach and decide whether to take any enforcement action against the commission.
How the authorities reacted?
The NCSC confirmed that it had supported the commission in responding to the incident and said it was working with other government agencies to understand the potential impact. It also urged anyone who may have been affected by the breach to follow its advice on how to protect themselves online.
The ICO said it had received a report from the commission and was assessing the information provided. It said it would not comment further until its investigation was complete.
The Cabinet Office, which oversees the commission, said it took the security of personal data very seriously and expected the commission to do everything possible to prevent future breaches. It also said it was working closely with the commission and other relevant authorities to ensure that elections were secure and fair.
How the public reacted?
The breach sparked outrage and concern among some members of the public, who expressed their views on social media. Some people questioned how the commission could have allowed such a breach to happen and how long it took to detect and report it. Others worried about how their personal data could be used by hackers or foreign adversaries. Some people also called for more transparency and accountability from the commission and demanded compensation for any harm caused by the breach.
However, some people also defended the commission and praised its work in ensuring free and fair elections. They argued that cyber-attacks were inevitable in today’s world and that the commission had done its best to respond and mitigate the damage. They also pointed out that there was no evidence that any votes had been tampered with or that any other data had been stolen.
