Electoral Commission apologises for data breach affecting millions of voters

Chief exec apologises, but significant gaps remain in what is known about the attackers, the extent of the attack and why it took the commission so long to inform voters about it

The Electoral Commission issued a public notification earlier today, confirming that the personal data of up to 40 million UK voters has been compromised by unknown "hostile actors," in what it termed a complex cyberattack. Electoral Commission Chief Executive Shaun McNally also apologised for the data breach.

The election watchdog confirmed in the statement that it became aware of the attack in October 2022, but that the hostile actors had been able to access it's systems from August 2021. The attack was reported to the Information Commissioners Office (ICO) and the National Cyber Security Centre (NCSC)

The attackers were able to access email servers, control systems, and copies of the electoral registers. This means the unknown attackers would have been able to quietly access the full names and addresses of all everyone in the UK registered to vote between 2014 and 2022, as well as the names of overseas voters. The millions of people who fall into this category should, according to this afternoon's statement, "remain vigilant for unauthorised use or release of their personal data."

The statement also emphasises that much of the data potentially compromised such as names and address details doesn't pose a high risk to individuals. However, it also notes the possibility that this data could be combined with other data in the public domain to identify or profile individuals.

A spokesperson for the ICO said: "The Electoral Commission has contacted us regarding this incident and we are currently making enquiries. We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.

"In the meantime, if anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support."

Due to our low-tech paper based voting system, the chances of any impact on elections is small, and the commission states that the breach has not affected anyone's electoral registration status.

Questions remain

So, we can all stand down then? Well, no. The statement released by the commission, and an FAQ that it has also put up on the website, poses several questions.

The first is why it took so long for details of the breach to be made public. Whilst the ICO was informed of the breach within 72 hours, as mandated by the UK GDPR, the data subjects themselves were not. This is not the norm. Typically data subjects are informed within days of a breach being discovered. The FAQ states that:

"We needed to remove the actors and their access to our system. We had to assess the extent of the incident to understand who might be impacted and liaise with the National Cyber Security Centre and the Information Commissioner's Office. We also needed to put additional security measures in place to prevent any similar attacks from taking place in the future."

This process did not need to take 10 months, and it is not clear why it did.

Computing contacted the Electoral Commission to ask this question and received an exact repetiton of the statement above, along with a message stating that now the Electoral Commission is under investigation by the ICO, information which could compromise that investigation cannot be released.

In his statement this afternoon, Electoral Commission Chief Executive Shaun McNally said:

"We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed."

Has data been exfiltrated? We just don't know. The implications of attackers having approximately 14 or 15 months of access to systems before being identified are not considered.

The fact that the attackers remain unidentified is also a concern. Interference in democratic systems by hostile states carries significant implications, and there is a strong argument for this being discussed openly and transparently. In response to Computing's question, a spokesperson said:

"The Commission does not know who is responsible for the attack. We reported the incident to the National Cyber Security Centre (NCSC). No groups or individuals have claimed responsibility for the attack."

The spokesperson continued:

"We have learned lessons from this incident that have enabled us to make improvements to the security, resilience, and reliability of the Commission's IT systems.

"We have taken steps to secure our systems against future attacks and improved our protections around personal data. We have strengthened our network login requirements, improved the monitoring and alert system for active threats and reviewed and updated our firewall policies.

"We have worked with the National Cyber Security Centre (NCSC) from the outset. We commissioned NCSC-recommended experts to identify the cause of the incident and support us to end the attack. The investigation and its findings presented clear recommendations, which the Commission has implemented."

Thec cyber security measures described above are basic. This, combined with the fact that it took so long to identify and remediate the attack suggests at least the possibility that this was not a particularly complex attack, but was of a type that could have been prevented or at least detected much earlier had basic threat detection systems been in place.

Cybersecurity industry raises concerns

Cybersecurity specialists have also raised some eyebrows about aspects of the Electoral Commission's response to this attack.

Jake Moore, Global Cybersecurity Advisor at ESET commented:

"It was only a matter of time before the UK electoral register suffered a cyberattack. Election data remains a prize target for multiple different groups of attackers. Whilst the specifics of the stolen data is unknown, people should remain as cautious as ever with unsolicited communications, even though the majority of the data may have been stolen well over a year ago.

"What remains more worrying is that the attack went undiscovered for 15 months and did the authorities were not alerted of any abnormalities on their systems in that time. Cybercriminals work best in stealth mode but rarely are they undetected for this length of time. However complex an attack is, it is saddening to see malicious actors break in and rummage around for so long."

Dominic Trott, Director of Strategy and Alliances, Orange Cyberdefense said:

"This incident is more than a breach of critical national infrastructure (CNI) or personal information, it's a breach of the instruments of democracy itself. It's common knowledge that CNI and electoral information are major targets for cybercriminals, so the way this attack has been handled should be questioned. How can it be that the incident was identified in October 2022, but that the general public - those impacted - are only hearing about it now?

"While the Electoral Commission has abided by its legal duty to notify the ICO, it has become usual practice for organisations to inform those impacted about data breaches within the same or a similar timeframe. In effect, it has become de-facto standard practice to make a public announcement within days of a breach being discovered. This gives people full awareness of the issue and allows them to take any available steps to protect themselves and their data.

"Despite this misstep, it is comforting that the Electoral Commission has since strengthened its security posture since the attack, including its threat monitoring and alert systems, on advice from the NCSC. We can therefore hope that if it is targeted again in future, the attack will come to light and be communicated quicker than in this instance."

However, some have counselled caution before putting concerns about democratic interference on record.

John Hultquist, Mandiant chief analyst, Google Cloud said:

"Intrusions into election related networks are not tantamount to manipulation of the vote. We should be careful not to ascribe too much meaning to these incidents, which could serve the adversary's interest. In the past Russia's GRU has taken advantage of election related intrusions in Ukraine to suggest they have manipulated the vote, despite lacking the ability to do so. Similarly, in 2020 Iran faked a hack of US election related systems to suggest they manipulated the vote. Ultimately, adversaries seek to undermine our democratic institutions and more often than not they do that by overstating their own power."

This article was updated at 17:17 on 8th August to include the responses of The Electoral Commission.