The Electoral Commission was the target of a “complex cyberattack,” which left the personal data of almost 40 million UK voters exposed for over a year.
The United Kingdom’s electoral watchdog, the Electoral Commission, claimed in a statement on Wednesday that it first noticed suspicious activity on its network in October 2022. However, it later acknowledged that unidentified “hostile actors” had first gained access to its systems more than a year earlier, in August 2021.
When asked why the Electoral Commission couldn’t make the incident public, spokeswoman Andreaa Ghita replied that there were “several steps” that the Commission had to take.
“We had to take away the actors’ access to our system. To determine who might be impacted and to communicate with the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO), we had to determine the magnitude of the event. In order to stop future attacks of a similar nature, we also required to add further security measures, the spokeswoman stated.
According to a FAQ posted by the Electoral Commission, these steps include tightening network login requirements, enhancing threat monitoring capabilities, and changing firewall settings.
According to a representative for the Electoral Commission, as many as 40 million UK voters may have been impacted by the event, which saw hackers gain access to the Commission’s email, control systems, and copies of the electoral registers. Any voter who registered between 2014 and 2022 is included, as are the names of any overseas voters who have registered.
Security for the UK elections is unaffected,
The Electoral Commission claims that data potentially impacted includes full names, email addresses, home addresses, phone numbers, any personal images sent to the Commission, and any information provided via email or online contact forms, although it has not been possible to determine whether the attackers exfiltrated data held on its systems.
Although much of this information is already in the public domain, the watchdog points out that it might be combined with other data to deduce behavioural patterns or to identify and profile specific people.
In addition, the Electoral Commission stated that there has been “no impact” on election security in the UK.
According to the Commission, “the UK’s democratic process is significantly fragmented and key elements of it continue to be based on paper documentation and counting.” “This means that using a cyberattack to influence the process would be very difficult.”
It is still unknown who was responsible for the attack. When queried by TechCrunch, the NCSC replied “we do not know who is responsible for the attack,” and the Electoral Commission stated the same.
“We provided the Electoral Commission with expert advice and support to aid their recovery after a cyber incident was first identified,” the NCSC representative stated, declining to give their name. “Defending the UK’s democratic processes is a priority for the NCSC, and we provide a range of guidance to help strengthen the cyber resilience of our electoral systems.”