Electoral Commission hit by ‘complex’ 15-month cyber attack

The UK’s Electoral Commission has warned that hostile actors have accessed voter data, including names and addresses, belonging to anyone registered to vote in elections between 2014 and 2022.

The attackers gained access to full names, addresses, and the date on which a person achieves voting age – which is 18 for UK parliamentary elections.

The attackers also had access to the commission’s email and control system as well as the names of those registered as overseas voters, but not their addresses, since the organization doesn’t hold this data. Personal data contained in the email system was also affected and includes name, email, address, telephone numbers, and any personal images along with webform data.

The Information Commissioner’s Office (ICO) risk assessment doesn’t suggest that exposing such personal by itself puts individuals at high risk, given much of this information is already in the public domain. But combined with other pieces of information, it could be used to identify or profile individuals.

Webform data or email attachments, meanwhile, could potentially contain sensitive information such as medical or personal financial details.

No group has claimed responsibility for the attack at the time of writing. The Electoral Commission has reported the incident to the National Cyber Security Centre, and said it notified the ICO within 72 hours of identifying the breach.

The fact that systems were first accessed in August 2021, more than a year before suspicious activity was identified, suggests the cyber criminals were patient and possibly surveilling internal operations.

The commission has been quick to reassure voters that the data can’t be used to interfere with the UK’s electoral process, and insisted the exposed data isn’t enough to impersonate a voter under current rules. But the stolen data could help fuel future attacks and other forms of fraud, according to Matt Aldridge, principal solutions consultant at OpenText Cybersecurity.

“If a nation-state actor was at work here, this data could be used to boost any influence campaigns they are running against UK targets in an effort to support that nation’s competitive agenda,” he said.

The potential theft of name and home addresses could be used to contribute to targeted social engineering attacks, for example. Aldridge urged organizations to learn from this breach, check their defenses, and ensure staff are trained in cyber security best practices.

“Rather than viewing data protection as a box-ticking exercise,” he continued, “it should be a key priority and integrated into every aspect of an organization.”

The commission hasn’t disclosed how it became aware of the attack, but said it’s been implementing a number of mitigations: “We have strengthened our network login requirements, improved the monitoring and alert system for active threats and reviewed and updated our firewall policies.”