The U.K. Electoral Commission on Tuesday disclosed a "complex" cyber attack on its systems that went undetected for over a year, allowing the threat actors to access years worth of voter data belonging to 40 million people.
"The incident was identified in October 2022 after suspicious activity was detected on our systems," the regulator said. "It became clear that hostile actors had first accessed the systems in August 2021."
The intrusion enabled unauthorized access to the Commission's servers hosting email, control systems, and copies of the electoral registers it maintains for research purposes. The identity of the intruders are presently unknown.
The registers included the name and address of anyone in the U.K. who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. However, they did not contain information of those who qualified to register anonymously and addresses of overseas electors registered outside of the U.K.
The details exposed as a result of the cyber incident are as follows -
- Name, first name, and surname
- Email addresses (personal and/or business)
- Home address if included in a webform or email
- Contact telephone number (personal and/or business)
- Content of the webform and email that may contain personal data
- Any personal images sent to the Commission.
- Home address in register entries
- Date on which a person achieves voting age that year
It's not clear why the disclosure was delayed by another 10 months, but the Commission told the BBC and The Guardian that it was done to stop the adversary's access, investigate the extent of the breach, and enforce security guardrails.
The Commission also noted that the accessed data could be combined with other details that are already available in the public domain to "infer patterns of behavior or to identify and profile individuals."
It also emphasized that the attack has no impact on the electoral process or electoral registration status, and that the data held in its email servers is unlikely to pose a risk to people unless any sensitive information was shared in those messages.
"Anyone who has been in contact with the Commission, or who was registered to vote between 2014 and 2022, should remain vigilant for unauthorized use or release of their personal data," the watchdog said, adding it has put in place mitigations to secure against future attacks.