UK Elections Watchdog Issues Apology After Hack Exposes Voters’ Information

Hackers who targeted the elections watchdog may have gained access to the personal information of tens of millions of British voters.

The Electoral Commission apologized for the systemic flaw but claimed there was a minimal chance that “hostile actors” could sway a vote’s outcome.

The hack, which was made public on Tuesday, gave the perpetrators access to reference copies of electoral registers that contained the names and addresses of voters who had registered between 2014 and 2022.

The commission’s computer systems had been breached by hackers before the attack was discovered in October 2022, in August 2021.

The chief executive of the Electoral Commission, Shaun McNally, said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.

“This means it would be very hard to use a cyber-attack to influence the process.

“Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.”

He said significant measures had been taken to improve security on the commission’s IT systems.

“We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed,” he said.

“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologize to those affected.”

The commission’s reference copies of the electoral registers, which are used for study and to enable checks on the legality of political donations, were accessible to the hackers.

The names of all UK citizens who were registered to vote between 2014 and 2022, as well as those who were enrolled as foreign voters, are listed in the records that were in existence at the time of the cyberattack.

However, they left out the information for individuals who registered secretly.

The registry for each year has information on some 40 million people, which was available to malicious actors, but this includes persons on open registers, whose data is already known to the general public.

The UK National Cyber Security Centre claimed to have offered the commission professional guidance and assistance.

According to a representative, “Defending the UK’s democratic processes is a priority for the NCSC, and we provide a range of guidance to help strengthen the cyber resilience of our electoral systems.”

The Information Commissioner’s Office of the UK announced that it was investigating the event.

“We recognize this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency,” a spokesman said.

“In the meantime, if anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support.”