UK Voter Data Exposed: Electoral Commission Hack Affects 40 Million People

Around 40 million U.K. voter’s personal data was compromised due to a cyberattack, leading to an exposure that lasted for over a year, after the Electoral Commission became a target of the breach.

The Electoral Commission, which is in charge of monitoring elections in the United Kingdom, issued a statement on Wednesday claiming that it discovered suspicious activity on its network for the first time in October 2022. However, the commission later confirmed that unnamed “hostile actors” had initially examined its IT infrastructure over a year prior earlier in August 2021.

Andreea Ghita, a spokesman for the Electoral Commission, was asked why the institution has only now begun notifying persons who were affected by the incident. In response, Ghita stated that the Electoral Commission needed to complete “several steps” before it could make the issue public.

“We needed to remove the actors and their access to our system. We had to assess the extent of the incident to understand who might be impacted and liaise with the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO). We also needed to put additional security measures in place to prevent any similar attacks from taking place in the future,” the spokesperson said.

According to a frequently asked questions document provided by the Electoral Commission, these precautions include increasing the stringency of the network’s login requirements, enhancing its threat monitoring capabilities, and bringing its firewall settings up to date.

According to a representative for the Electoral Commission, the event, which involved hackers gaining access to the Commission’s e-mail, IT systems, and files of the electoral votes registers, may have had an impact on as many as 40 million voters in the United Kingdom. This covers anyone who registered as a voter between the years 2014 and 2022, in addition to the identities of individuals who registered to vote from outside the country.

Even though the Electoral Commission has been not able to determine whether the attackers removed data held on its systems, it has stated that the data that could have been compromised includes all of the names, email addresses, residential addresses, and phone numbers of U.K. citizens, as well as any personal images that were sent to the Commission and any details that were submitted via email or online submission forms.

Even though much of this information is already available to the public, the watchdog organization points out that it might be integrated with other information to extrapolate patterns of conduct or to recognize individuals’ profiles.

In addition, the United Kingdom’s Electoral Commission stated that there has not been any impact on the election security at all.

According to the Commission’s findings, “the democratic process in the United Kingdom is significantly dispersed, and significant elements of it are still based on paper records and counting.” Because of this, employing a cyberattack as a means of exerting influence over the process would be extremely challenging.

The spokesman from the National Cyber Security Centre (NCSC) stated that expert advice and help were offered to the Electoral Commission in order to assist their recovery process subsequent to the initial identification of a cyber event. The spokesperson, who chose not to disclose their identity, declined to provide further details. The National Cyber Security Centre (NCSC) places significant importance on safeguarding the democratic processes in the United Kingdom. To this end, the NCSC offers a variety of guidance materials aimed at enhancing the digital security of our voting systems.

Upon being contacted for a statement, James Huyton, the spokesperson for the ICO, acknowledged that the Electoral Commission had informed the data security agency about the incident. However, he refrained from providing any explanation of the reason behind the nine-month postponement in making this information public.

Check Out: Data Leakage Fines: New Pakistan Bill Sets Penalty at $2 Million.