The UK’s electoral regulator is facing widespread criticism after a major cyber attack affecting 40 million voters was left undisclosed to the public for at least 10 months.
In a public notification on its website, the UK Electoral Commission said it identified the incident in October 2022 after suspicious activity was detected on its systems.
Shortly after, it “became clear” to the regulator that hostile actors had first accessed its systems back in August 2021.
During the attack, cyber criminals gained access to the commission’s servers which held its email, control systems and copies of the electoral registers including the name and address of any UK voter who registered between 2014 and 2022.
Although the attack was identified sometime in October 2022, the regulator did not make a public announcement until 8 August 2023 – ten months after it first detected suspicious activity on its systems.
“It became clear that hostile actors had first accessed the systems in August 2021,” said the UK Electoral Commission.
“The Commission has since worked with external security experts and the National Cyber Security Centre (NCSC) to investigate and secure its systems.”
The commission assessed the information affected by the breach doesn’t “pose a high risk” to individuals, and assured it was only giving its belated notification due to the “high volume of personal data potentially viewed or removed during the cyber attack.”
Conversely, the commission went on to highlight the personal data affected by the incident, which includes full names, email addresses, home addresses, contact telephone numbers, content of the webform, and email that may contain personal data and any “personal images” sent to the commission.
Furthermore, the commission made passing mention that its email system was also accessible during the attack, stating “any details provided to the Commission via email” between August 2021 and October 2022 were accessible to the attackers.
The delayed disclosure of the incident has led many UK voters to express frustration online.
“This exposes everyone to a risk of fraud, identity theft and even of being targeted in their homes,” said UK-based digital campaigning organisation Open Rights Group (ORG) on social media site X.
ORG also levelled scrutiny at the UK’s Information Commissioner's Office – which regulates data protection in the UK – saying if it “was aware of the breach and chose to remain silent” it would “speaks volume about their weaknesses and its failure as a meaningful regulator”.
“If they weren't aware, they need to explain why [the UK Electoral Commission] didn't feel obliged to notify them of something this big,” ORG added.
The Electoral Commission responded that before it could make the incident public, it needed to “remove the actors and their access” to its system, assess the extent of the incident, liaise with the National Cyber Security Centre and ICO, and “put additional security measures in place”.
Commissioner chair John Pullinger further defended the commission’s 10-month silence, stating “if you go public on a vulnerability before you have sealed it off, then you are risking more vulnerabilities” – a sentiment similarly echoed in Australia following breaches at Medibank and the Tasmanian government.
The news comes during mounting debate over whether the UK should switch to an e-voting system or stick to traditional paper ballots.
UK Electoral Commission Chief Executive Shaun McNally suggested it would be “very hard” to influence the UK’s democratic process via cyber attack due to its use of “paper documentation and counting”.
“Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target and need to remain vigilant to the risks to processes around our elections,” he added.
While the commission assured no immediate action is needed in response to its notification, it urged affected parties to “remain vigilant for unauthorised use or release of their personal data”.