The UK's electoral oversight body has disclosed that it fell victim to a "sophisticated cyber attack" potentially jeopardizing the data of millions of voters.
The Electoral Commission has revealed that undisclosed "hostile actors" managed to breach its security, gaining access to copies of the electoral registers dating back to August 2021.
The attackers also infiltrated the commission's emails and "control systems," although the breach wasn't detected until October of the previous year.
The commission is urging the public to be vigilant for unauthorized use of their data. It clarified that the compromised registers were held for research purposes and for scrutinizing political donors.
CEO Shaun McNally stated that while the commission is aware of the systems the hackers accessed, it cannot definitively identify which files they accessed.
The accessed data includes the names and addresses of UK citizens who registered to vote between 2014 and 2022. This encompasses those who chose to withhold their details from the open register, which can still be obtained by entities like credit reference agencies.
The compromised data also includes the names (excluding addresses) of overseas voters.
However, the information of individuals who registered anonymously for safety or security reasons remained unaffected.
While the exact number of affected individuals is challenging to predict, the commission estimates that each year's register contains details of approximately 40 million people.
The commission clarified that the personal information on the registers, comprising names and addresses, in itself doesn't pose a "high risk" to individuals. Nevertheless, when combined with other public data, it could potentially be exploited to "identify and profile individuals."
The commission did not specify the exact date the hackers' access was terminated, but it emphasized that steps were taken as soon as the attack was identified in October 2022.
The delay in publicizing the breach was attributed to the need to first halt the hackers' access, assess the extent of the incident, and enhance security measures.
The commission stated that the attackers were unable to modify or delete information on the electoral registers, which are maintained by registration officers across the country.
The breach didn't affect information about donations and loans to political parties and registered campaigners, which are stored in a separate, unaffected system.
Mr. McNally acknowledged public concern and expressed apologies to those affected.
To prevent future attacks, the commission has implemented measures such as updating login requirements, enhancing alert systems, and revising firewall policies.
The Information Commissioner's Office, responsible for data protection in the UK, has initiated an urgent investigation. Photo by jaydeep_, Wikimedia commons.