UK Electoral Commission reveals it was the victim of a cyberattack in 2021; news only made public today (8 August).
The UK Electoral Commission has revealed that it was the victim of a cyberattack that breached the personal data of voters and internal systems.
The incident was identified in October 2022, and investigations uncovered that cyber criminals first accessed the systems in August 2021. Despite this, news of the attack was only shared with the public today.
The Electoral Commission has a duty under Articles 33 and 34 of the UK General Data Protection Regulation to notify data subjects if their data has been breached by inappropriate access, loss, or theft from its systems.
In a statement, the Electoral Commission said: “During the cyber-attack, the perpetrators had access to the Commission’s servers which held our email, our control systems, and copies of the electoral registers.
“They were able to access reference copies of the electoral registers, held by the Commission for research purposes and to enable permissibility checks on political donations. The registers held at the time of the cyber-attack include the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. The registers did not include the details of those registered anonymously. The Commission’s email system was also accessible during the attack.
“We understand the concern this attack may cause and apologise to those affected. Since the attack was discovered, we have worked with security specialists to investigate the incident and have taken action to secure our systems and reduce the risk of future attacks.”
UK Electoral Commission response: Is it good enough?
Dominic Trott, Director of Strategy and Alliances, Orange Cyberdefense said. “This incident is more than a breach of critical national infrastructure (CNI) or personal information, it’s a breach of the instruments of democracy itself. It’s common knowledge that CNI and electoral information are major targets for cybercriminals, so the way this attack has been handled should be questioned. How can it be that the incident was identified in October 2022, but that the general public – those impacted – are only hearing about it now?
“While the Electoral Commission has abided by its legal duty to notify the ICO, it has become usual practice for organisations to inform those impacted about data breaches within the same or a similar timeframe. In effect, it has become de-facto standard practice to make a public announcement within days of a breach being discovered. This gives people full awareness of the issue and allows them to take any available steps to protect themselves and their data.
“Despite this misstep, it is comforting that the Electoral Commission has since strengthened its security posture since the attack, including its threat monitoring and alert systems, on advice from the NCSC. We can therefore hope that if it is targeted again in future, the attack will come to light and be communicated quicker than in this instance.”