All UK voter’s data since 2014 leaked in cyber-attack, says Electoral Commission

Voters have been reassured a data leak “has not had an impact on the electoral process, has not affected the rights or access to the democratic process of any individual, nor has it affected anyone’s electoral registration status”.

The Electoral Commission has been the subject of a complex cyber-attack. The incident was identified in October 2022 after suspicious activity was detected on their systems, they say it became clear that hostile actors had first accessed the systems in August 2021. No groups or individuals have claimed responsibility for the attack, and the Commission have no idea who carried out the attack.

If you were registered to vote in the UK between 2014 and 2022, your address may have been accessed during this cyber-attack. The addresses of those on the open register are already publicly available. The addresses of those who opt out of the open register, are not made publicly available, but were accessible during this cyber-attack.

In a statement Electoral Commission said, “The incident was identified in October 2022 after suspicious activity was detected on our systems. It became clear that hostile actors had first accessed the systems in August 2021.”

“During the cyber-attack, the perpetrators had access to the Commission’s servers which held our email, our control systems, and copies of the electoral registers.”

“They were able to access reference copies of the electoral registers, held by the Commission for research purposes and to enable permissibility checks on political donations. The registers held at the time of the cyber-attack include the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. The registers did not include the details of those registered anonymously. The Commission’s email system was also accessible during the attack.”

“We understand the concern this attack may cause and apologise to those affected. Since the attack was discovered, we have worked with security specialists to investigate the incident and have taken action to secure our systems and reduce the risk of future attacks”

They added, “It is our assessment that the information affected by this breach does not pose a high risk to individuals and this notification is being given due to the high volume of personal data potentially viewed or removed during the cyber-attack.”

They detailed the scope of data leaked in the incident:

Personal data affected by this incident:

• Personal data contained in email system of the Commission:
  • Name, first name and surname.
  • Email addresses (personal and/or business).
  • Home address if included in a webform or email.
  • Contact telephone number (personal and/or business).
  • Content of the webform and email that may contain personal data.
  • Any personal images sent to the Commission.
• Personal data contained in Electoral Register entries:
  • Name, first name and surname
  • Home address in register entries
  • Date on which a person achieves voting age that year.

The Commission’s email servers were also affected, but the don’t deem it high risk – unless you sent them a sensitive email, “It is also unlikely to present a high risk to individuals unless someone has sent us sensitive or personal information in the body of an email, as an attachment or via a form on our website, such information may include medical conditions, gender, sexuality, or personal financial details. Information related to donations and/or loans to registered political parties and non-party campaigners is held in a system not affected by this incident.

A spokesperson for the ICO, the UK’s independent regulator on data protection, said: “The Electoral Commission has contacted us regarding this incident and we are currently making inquiries.

“We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.”