UK Electoral Commission hacked, Data of 40 million UK voters exposed

Approximately 40 million U.K. voters had their personal information exposed to hackers for more than a year following what is described as a "complex cyberattack" on the U.K. Electoral Commission.

The Electoral Commission, responsible for overseeing elections in the U.K., initially detected suspicious activity on its network in October 2022. After a subsequent investigation, it was determined that unidentified "hostile actors" had gained unauthorized access to the Commission's systems as far back as August 2021.

No details are available as to the nature of the cyberattack and the identity of the attackers remains unknown.

The reason for the delay in notifying about the incident, the Electoral Commission explained that there were several critical steps that had to be taken before making the incident public. These steps included removing the attackers from the system, comprehensively assessing the scope of the breach to determine the potential impact on individuals, and collaborating with the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO). Additionally, the Commission needed to enhance security measures to prevent future attacks.

Among the security measures implemented were stronger network login requirements, improved threat monitoring capabilities, and updates to firewall policies. These changes were detailed in an FAQ published by the Electoral Commission.

The breach exposed a significant amount of sensitive information, including:

• full names,
• email addresses,
• home addresses,
• phone numbers,
• personal images sent to the Commission,
• details provided through email or online contact forms.

Although much of this information might already be publicly available, the concern lies in the potential for the compromised data to be combined with other information to deduce behavioral patterns or profile individuals.

Update - The Electoral Commission has confirmed failing a basic cyber-security test around the same time hackers breached their systems, with a whistleblower revealing the automatic fail result during a Cyber Essentials audit. A whistleblower exposed that the Commission was non-compliant with the Cyber Essentials scheme in the same month as the breach, despite its government-backed status for achieving minimum cyber-security best practices. Cyber Essentials, although voluntary, is widely used by organizations to demonstrate their security awareness and is required for suppliers bidding on contracts involving sensitive information. The Commission's audit failures were attributed to obsolete and potentially insecure software on approximately 200 staff laptops, including outdated iPhones no longer supported by Apple for security updates.

Despite the gravity of the situation, the Electoral Commission assured the public that the security of U.K. elections remains intact. The decentralized nature of the U.K.'s democratic processes, which include reliance on paper documentation and manual counting, makes it difficult for a cyberattack to significantly impact the election process itself.