The UK’s Electoral Commission revealed that a cyber attack which allowed unknown threat actors the data of 40 million voters. It gets worse though. This pwnage went unnoticed for a year and was not disclosed to the public for an additional 10 months.
The Electoral Commission apologized for the security breach in which the names and addresses of all voters registered between 2014 and 2022 were open to “hostile actors” as far back as August 2021. The attack was discovered last October and reported within 72 hours to the Information Commissioner’s Office (ICO), as well as the National Crime Agency. However, the public has only now been informed that the electoral registers containing the data of millions of voters may have been accessible throughout that time.
The Electoral Commission said it was “not able to know conclusively” what information had been accessed. It is not known whether the attackers were linked to a hostile state, such as Russia, or a criminal cyber gang. The watchdog said “much of the data” was already in the public domain and insisted it would be difficult for anyone to influence the outcome of the UK’s largely paper-based electoral system, but it acknowledged that voters would still be concerned.
The attackers were able to access full copies of the electoral registers, held by the commission for research purposes and to enable permissibility checks on political donations. These registers include the name and address of anyone in the UK who was registered to vote between 2014 and 2022. The commission’s email system was also accessible during the attack. The full register held by the Electoral Commission contains name and address data that can be inspected by the public but only locally through electoral registration officers, with only handwritten notes allowed. The information is not permitted to be used for commercial or marketing purposes. The data of anonymous voters whose details are private for safety reasons and the addresses of overseas voters were not accessible to the intruders in the IT system.
All together now…. Whiskey Tango Foxtrot????
This is an epic screw up and heads need to roll over it because it is totally unacceptable that data on 40 million people is out there in the hands of someone to do whatever nefarious things they plan on doing with it. Apologies are not enough. Actions to ensure that this never happens again along with having those who let this happen pay the price are the only way to stop epic screw ups like this going forward.