Hack left majority of UK voters' data exposed for over a year

The UK's Electoral Commission has revealed that some personal information of around 40 million voters was left exposed for over a year. The agency — which regulates party and election finance and elections in the country — said it was the target of a “complex cyberattack.” It first detected suspicious activity on its network in October 2022, but said the intruders first gained access to its systems in August 2021.

The perpetrators found a way onto to the Electoral Commission's servers, which hosted the agency's email and control systems, as well as copies of the electoral registers. Details of donations and loans to registered political parties and non-party campaigners were not affected as those are stored on a separate system. The agency doesn't hold the details of anonymous voters or the addresses of overseas electors registered outside of the UK.

The data that was exposed included the names and addresses of UK residents who registered to vote between 2014 and 2022, along with those who are registered as overseas voters. Information provided to the commission through email and web forms was exposed too.

"We know that this data was accessible, but we have been unable to ascertain whether the attackers read or copied personal data held on our systems," the commission said. The agency confirmed to TechCrunch that the attack could have affected around 40 million voters. According to UK census data, there were 46.6 million parliamentary electoral registrations and 48.8 million local government electoral registrations in December 2021.

The Electoral Commission says it had to adopt several measures before disclosing the hack. It had to lock out the "hostile actors," analyze the possible extent of the breach and put more security measures in place to stop a similar situation from happening in the future.

Data in the electoral registers is limited and much of it is in the public domain already, the agency said. As such, officials don't believe the data by itself represents a major risk to individuals. However, the agency warned, it's possible that the information "could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behavior or to identify and profile individuals."

The Electoral Commission also noted that there was no impact on UK election security as a result of the attack. "The data accessed does not impact how people register, vote, or participate in democratic processes," it said. "It has no impact on the management of the electoral registers or on the running of elections. The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting. This means it would be very hard to use a cyber-attack to influence the process."