The UK’s Electoral Commission revealed that 40 million voter’s data had been accessed by a cyber-attack unnoticed by the public for over a year and not revealed for another 10 months. According to The Guardian, the attackers were able to access complete copies of the electoral records held by the Commission for research purposes as well as to verify the legality of political donations. The data included names and addresses of all UK voters who had registered between 2014 and 2022.
The Commission was unable to know conclusively what information had been accessed and the attackers’ affiliation with a hostile country, such as Russia, or a cyber criminal gang could not be determined. Although the Commission acknowledged that much of the data was in the public domain, it insisted that it would be hard for anyone to affect the outcome. Despite this, it understood the concerns of the public.
The email system of the Commission was also accessible at the time. The full register is held by the Commission and contains data on names and addresses that can be accessed at a local level through electoral registration officers. It was noted that the information may not be used for marketing or commercial purposes.
The intruders of the IT system were not able to access data of anonymous and private voters, as well as the addresses of overseas voters. The Information Commissioner’s Office (ICO) and the National Crime Agency were informed of the incident within 72 hours. A spokesperson from the ICO said that the Commission had contacted them about the incident and they were making inquiries as a matter of urgency. They added that if anyone was concerned about how their data had been handled, they should get in touch with the ICO or check their website for advice and support.
