UK election watchdog failed to discover system hack for 15 months

The UK’s Electoral Commission today announced it suffered a cyberattack in August 2021, with attackers gaining access to registers that contained the names and addresses of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.

In a statement issued by the Electoral Commission via its website, the election watchdog said that although attackers first gained access to electoral registers and the commission’s email system in August, the hack wasn’t identified until October  2022, when the electoral body became aware of a suspicious pattern of log-in requests being made to its systems.

The commission said while it is “not able to know conclusively” what information had been accessed, the personal data most likely to have been accessible includes names, addresses, email addresses, and any other personal data sent to the commission by email or held on the electoral registers. Due to large parts of the UK’s electoral system still being paper based, however, “it would be very hard to use a cyber-attack to influence the [electoral] process.” The Commission also sought reassure those that might have been affected by the breach by noting that the hack will not impact an individual’s ability to take part in the democratic process or affect their current registration status or eligibility to vote.

“We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems,” Shaun McNally, the Electoral Commission chief executive, said in a statement.

In line with requirements under the law, McNally said the Electoral Commission notified the Information Commissioner’s Office (ICO) within 72 hours of identifying the breach and the ICO is currently investigating the incident.

“The Electoral Commission has contacted us regarding this incident and we are currently making enquiries,” a spokesperson for the ICO said in a statement. “We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.”

Attackers remain unknown

Those responsible for the attack remain unknown and the commission said no groups or individuals have claimed responsibility for the breach.

While it was only a matter of time before the UK electoral register suffered a cyberattack, what remains more worrying is that the attack went undiscovered for 15 months, said Jake Moore, global cybersecurity advisor at internet security company ESET.

“Cybercriminals work best in stealth mode but rarely are they undetected for this length of time. However complex an attack is, it is saddening to see malicious actors break in and rummage around for so long,” he said, in comments emailed to reporters.

The Electoral Commission said that there were various steps it needed to take before informing the public about the attack. “We needed to remove the actors and their access to our system,” the commission said in its statement. “We also needed to put additional security measures in place to prevent any similar attacks from taking place in the future.”