- Electoral Commission Target of “Complex Cyber-Attack”
- Access to Duplicates of Electoral Registers Compromised
- Highly Sophisticated Attack Raises Concerns about Election Security
The UK’s elections watchdog revealed a “complex cyber-attack” that could have affected millions of voters.
The Electoral Commission reported that “hostile actors” had obtained electoral registration copies in August 2021.
Additionally, hackers breached the company’s email and “control systems” but the breach was not discovered until October of last year.
The watchdog has cautioned individuals to be wary of unauthorized use of their data.
In a public notification, the commission said hackers accessed duplicate research and political contribution records.
Shaun McNally, the commission’s chief executive officer, stated that the commission knew which of its systems were accessible to the hackers, but could not “conclusively” determine which files were accessed.
The information held by the watchdog at the time of the attack included the names and addresses of individuals who registered to vote in the United Kingdom between 2014 and 2022.
This includes individuals who opted to keep their information off the open register. Which is not accessible to the public but can be purchased by third parties, such as credit reference agencies.
In addition, the data accessed included the names, but not the addresses, of overseas electors.
The watchdog said anonymous registration data for safety or security was not accessed.
According to the commission, it is difficult to predict precisely how many people could be affected, but it estimates that the annual register contains information on approximately 40 million individuals.
“Highly sophisticated” assault
The confidential data held on the registers – name, and address – did not pose a “high risk” to individuals, though it could be combined with other publicly available information to “identify and profile individuals.”
It has not specified exactly when the hackers’ access to its systems was terminated, but it has stated that they were secured as soon as feasible after the attack was discovered in October 2022.
The commission explained why it had not made the attack public earlier by stating that it first needed to block the hackers’ access, determine the scope of the incident, and implement additional security measures.
John Pullinger, chairman of the commission, defended the postponement by stating, “If you disclose a vulnerability before it has been patched, you risk creating additional vulnerabilities.”
According to him, the “extremely sophisticated” attack involved “software designed to penetrate and evade our systems.”
The information on the electoral registers themselves, which are maintained by registration officers across the country, was inaccessible to hackers.
Political parties and registered campaigners receive donations and loans in a system unaffected by the occurrence.
Mr. McNally acknowledged the public’s concern and apologized to those affected.
The commission said it has modified its login criteria, alert system, and firewall policies to prevent further intrusions.
The UK Information Commissioner’s Office, which oversees data privacy, began an investigation immediately.
Angela Rayner, the deputy leader of the Labour Party, stated, “This serious incident must be fully and thoroughly investigated so that lessons can be learned.”
This is about as serious as it gets on paper.
The interference of hackers in elections is one of the greatest concerns of the democratic world.
The commission reports that the cyber intruders in this instance did not affect any elections or voter registration.
However, this is still a significant security breach, and the nature of the attack is revealing.
For proponents of the United Kingdom’s manual voting system, the attack will strengthen the case against future e-voting.
“Pen and paper can’t be hacked” is a common refrain heard during discussions of modernization.
The fact that the hackers were inside the Electoral Commission’s systems as early as August 2021 indicates that this was not a criminal cyber operation seeking to extort money.
This adversary was patient and proficient to remain undetected for so long.
This operation appears to be a search for vulnerabilities within the democratic process in the United Kingdom.