The UK’s electoral regulator is currently facing widespread backlash following a significant cyber-attack that impacted 40 million voters. Shockingly, this breach was kept hidden from the public for a staggering ten-month period.
The UK Electoral Commission, in a recent announcement on its official website, revealed that it had detected the breach in October of 2022 after noticing suspicious activities on its systems. Subsequent investigation indicated that malicious actors had initially breached the systems as far back as August 2021.
During the course of the attack, cybercriminals managed to gain unauthorized access to the commission’s servers, which contained sensitive information such as email records, control systems, and copies of electoral registers spanning from 2014 to 2022. Despite the breach being identified in October 2022, the regulator chose not to disclose the incident publicly until August 8, 2023 – nearly ten months after the initial detection of suspicious activities.
The UK Electoral Commission stated, “It became clear that hostile actors had first accessed the systems in August 2021”. The commission collaborated with external cybersecurity experts and the National Cyber Security Centre (NCSC) to carry out an investigation and fortify its systems against future breaches.
Although the commission assessed that the breached information did not pose an extremely high risk to affected individuals, it acknowledged that due to the substantial amount of potentially compromised personal data, it was necessary to make a belated announcement. The compromised data included complete names, email addresses, home addresses, contact telephone numbers, content from webforms, emails containing personal information, and even personal images shared with the commission.
Additionally, the commission revealed that its email system had also been accessible to the attackers during the breach, making any information submitted to the commission via email between August 2021 and October 2022 potentially vulnerable.
The delay in disclosing the breach led to considerable frustration among UK voters, who took to social media platforms to voice their concerns. Digital campaigning organization Open Rights Group (ORG), based in the UK, expressed their worries about the breach’s implications on social media. ORG not only criticized the UK’s electoral regulator but also turned its attention towards the Information Commissioner’s Office (ICO), responsible for data protection in the UK. ORG speculated that if ICO was aware of the breach but chose to remain silent, it would expose weaknesses in their regulatory framework.
Emails, identifying information and home addresses of everyone on the electoral register have been at the mercy of cybercriminals.
This exposes everyone to a risk of fraud, identity theft and even of being targeted in their homes.#ElectoralCommission #cyberattack #DataBreach
— Open Rights Group (@OpenRightsGroup) August 9, 2023
The Electoral Commission defended its delayed announcement by explaining that it needed to address the breach comprehensively before going public. Steps included eliminating the attackers’ access, evaluating the extent of the breach, consulting with the National Cyber Security Centre and ICO, and implementing enhanced security measures.
Hello. We needed to remove the actors and their access to our system, assess the extent of the incident, liaise with the National Cyber Security Centre and ICO, and put additional security measures in place before we could make the incident public. https://t.co/jd4Hlk2Uf1
— Electoral Commission (@ElectoralCommUK) August 9, 2023
John Pullinger, the Commissioner chair, further justified the ten-month silence by noting that publicly disclosing a vulnerability before sealing it off could expose the organization to more vulnerabilities. This sentiment was also echoed in the aftermath of similar incidents in Australia.
This controversy comes amid ongoing discussions about whether the UK should transition to an e-voting system or stick to traditional paper ballots.
Shaun McNally, the Chief Executive of the UK Electoral Commission, asserted that it would be difficult for a cyber-attack to significantly influence the country’s democratic processes due to the use of paper documentation and manual vote counting. He emphasized, however, that the breach underscored the persistent vulnerability of organizations involved in elections and the necessity of maintaining vigilance to safeguard electoral processes.
Although the commission assured the public that no immediate actions were required in response to its notification, it urged affected parties to stay vigilant and monitor their personal data for any signs of unauthorized use or disclosure.
