The UK Electoral Commission has revealed that it was the victim of a cyberattack that breached the personal data of voters and internal systems.
In its notice, the Commission said the perpetrators of the cyberattack had access to its servers which held its email, control systems, and copies of the electoral registers.
The registers held at the time of the attack include the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.
In its notice, the Commission said that according to the risk assessment used by the Information Commissioner’s Office to assess the harm of data breeches [sic], the personal data held on the electoral registers – typically name and address – does not in itself present a high risk to individuals. It is possible however that this data could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behaviour or to identify and profile individuals.
Delay in notifying the public
The incident was identified in October 2022, and investigations uncovered that cybercriminals first accessed the systems in August 2021. Despite this, news of the attack was only shared with the public today.
The ICO states that data breaches have to be reported within 72 hours of discovery. However, it has said it is now “urgently investigating”.
“We understand the concern this attack may cause and apologise to those affected,” said the Commission. “Since the attack was discovered, we have worked with security specialists to investigate the incident and have taken action to secure our systems and reduce the risk of future attacks.”
If you liked this content…
However, Dominic Trott, director of strategy and alliances at Orange Cyberdefense, Europe’s largest MSSP, has questioned why the Commission chose to wait so long to notify those impacted. He noted that they fulfilled their legal duties, but stresses that it has become the de-facto standard for businesses to make a public announcement as well.
“This incident is more than a breach of critical national infrastructure (CNI) or personal information, it’s a breach of the instruments of democracy itself. It’s common knowledge that CNI and electoral information are major targets for cybercriminals, so the way this attack has been handled should be questioned. How can it be that the incident was identified in October 2022, but that the general public – those impacted – are only hearing about it now?”
Voters to stay vigilant
Others have voiced concerns as to the impact of a breach on the Electoral Commission.
Matt Aldridge, principal solutions consultant at OpenText Cybersecurity described the attack as concerning.
“One concern here is that the stolen data could help to fuel future cyberattacks and other types of fraud. Also, if a nation-state actor was at work here, this data could be used to boost any influence campaigns they are running against UK targets, in an effort to support that nation’s competitive agenda.
“The fact that name and home address data has been stolen is worrying, as it could contribute to targeted social engineering attacks on the victims involved. My message to voters who may have been affected is to remain vigilant for future scam messages or other communications that may use your name and address to purport legitimacy, and to react with appropriate suspicion. Staying alert and not clicking on suspicious links or providing personal details, whether financial or password related, is the best way to stay protected from all types of phishing emails.”
