Hackers were able to access UK voter registers undetected for 15 months, the Electoral Commission said on Tuesday, disclosing what it called a “complex cyber-attack.”
(Bloomberg) — Hackers were able to access UK voter registers undetected for 15 months, the Electoral Commission said on Tuesday, disclosing what it called a “complex cyber-attack.”
“Hostile actors” could obtain the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters, the commission said in a statement on Tuesday. The hackers first accessed Electoral Commission systems in August 2021, but the breach was not identified until in October 2022, it said.
While the commission said there was not a “high risk” to individuals as a result of the hack, the revelation raises questions about security surrounding sensitive digital records held by British institutions. The National Cyber Security Centre part of the government’s GCHQ listening post — warned earlier this month that organizations should update their systems after a series of malicious cyber attacks in 2022.
“The attack has not had an impact on the electoral process,” the commission said in a separate question-and-answer page on its website. “We do not know who is responsible for the attack.”
The commission said its email system was also compromised and confirmed it has worked with the NCSC to investigate the hack and secure its systems.
“Defending the UK’s democratic processes is a priority for the NCSC and we provide a range of guidance to help strengthen the cyber resilience of our electoral systems,” the cyber security body said in a statement.
Electoral Commission Chief Executive Officer Shaun McNally said in the statement that the group has not yet been able to “know conclusively what files may or may not have been accessed.”
The organization warned that anyone who had been in contact with the commission or had registered to vote between 2014 and 2022 “should remain vigilant for unauthorized use or release of their personal data.”
It also explained the delay in disclosing the hack, saying there were “several steps” it needed to take beforehand, including removing the hackers from its systems, assessing the extent of the incident and understanding who might be affected.
More stories like this are available on bloomberg.com
©2023 Bloomberg L.P.