40 Million Voters Exposed in Electoral Cyber Attack

A successful cyber attack focused towards the electoral commission has hacked registers containing the names and addresses of tens of millions of voters – putting them into the hands of hostile actors.

The Electoral Commission revealed on Tuesday, August 8th, they had been the target of an attack that has granted access to electoral registers, but with little risk of influencing the outcome of the vote.

Access to Reference Copies

The hackers were quick to access reference copies of electoral registers containing the names and addresses of all parties eligible to vote between 2014 and 2022. The reference copies are mainly held for research purposes and enabling permissibility checks on political donations. The register also contained information on people registered to vote overseas during that period.

The attack was first spotted in October 2022, with the hackers able to access the commission’s systems as far back as August 2021, meaning that the hostile actors had been within these systems, undetected, for over a year before being found.

During the first access, the UK had 43 million registered voters in the system throughout England and Wales. Data on most of the population would have been publicly accessible – due to them being on an open register. That year, almost 28 million people opted out of the open register.

No Influence on Process

The UK’s democratic process is significantly dispersed with key aspects retained on paper documentation, making a cyber attack tough to influence any process. Regardless, organisations involved in elections are a prime target, and successful attacks such as these highlight the risks around processes in our elections.

The National Cyber Security Centre has been working with the commission to aid the recovery and provide expert advice following the first identification of the incident. The NCSC has made the defence of the UK democratic process a top priority in strengthening cyber resilience for electoral systems.

The most significant measure was improving security on the commission’s IT infrastructure. Whilst it is known which systems were accessible to the hackers, the extent of the files accessed, although limited in data, has uncertainty.

MP Action

Registers for each year hold details for over 40 million individuals, including people on open registers whose information is public domain. The hacked registers did not contain details of anyone who registered anonymously.

MP Angela Rayner, Labour Deputy Leader, had expressed deep concern about the attacks and how they prey upon Britain’s resilience to cyber threats and our democracy, as well as support in taking further steps to protect it. Following the daunting attack on the Electoral Commission, full investigations and understanding are being pushed as a priority.

The Information Commissioner’s Office has begun making enquiries on the case, recognising the concern of those potentially affected and reassuring the public that it is urgently being investigated.

For more information on any cybersecurity conference in your area, check out the upcoming events from Whitehall Media.