Intruders accessed systems that stored the names and addresses of domestic and overseas voters.

UK Voters’ Data Breach Leaves Majority Vulnerable for Over 12 Months

Around 40 million voters in the UK had their personal information exposed for over a year, according to the Electoral Commission. The agency, responsible for overseeing party and election finance as well as elections in the country, disclosed that it fell victim to a “complex cyberattack.” Although the suspicious activity on its network was initially detected in October 2022, the intruders had actually gained entry to the systems in August 2021.

The perpetrators found their way to the Electoral Commission’s servers, which host the agency’s e-mail and monitoring systems, as well as copies of electoral rolls. This did not affect the details of donations and loans to registered political parties and non-partisan campaigns, as they are recorded in a separate system. The agency does not hold anonymous voter information or addresses of overseas voters registered outside the UK.

The leaked information included the names and addresses of UK residents who registered to vote between 2014 and 2022, as well as those registered as overseas voters. Information submitted to the Commission by e-mail and online forms was also revealed.

“We are aware that this information was available, but we have not been able to verify whether the attackers have read or copied personal information on our systems,” the commission said. The agency confirmed to TechCrunch that the attack could have affected around 40 million voters. According to UK census data, there were 46.6 million parliamentary electoral registrations and 48.8 million local government electoral registrations in December 2021.

The Electoral Commission says it had to take several steps before the hack was discovered. It had to rule out “hostile actors”, analyze the potential scope of the breach and implement additional security measures to prevent a similar situation from happening again in the future.

The information in the electoral registers is limited and much of it is already public, the agency said. As such, authorities do not believe that the information itself poses a significant risk to individuals. However, the agency warned that it is possible that the data “could be combined with other public information, such as information that individuals choose to share themselves, to infer patterns of behavior or to identify and profile individuals.”

The Electoral Commission also found that the attack had no impact on UK election security. “The information used does not affect how people register, vote or participate in democratic processes,” it said. “It has no impact on the management of electoral registers or the running of elections. The UK’s democratic process is significantly fragmented and key parts of it are still based on paper documentation and counting. This means it would be very difficult for a cyber-attack to affect the process.”