The UK Electoral Commission has revealed a substantial data breach spanning eight years, from 2014 to 2022, that exposed the personal information of voters across the United Kingdom. The Commission, responsible for overseeing elections and political finance regulations, acknowledged the breach and reported the incident to the Information Commissioner’s Office.
A complex cyber-attack compromised the Commission’s systems, leading to unauthorized access by hostile actors. The breach, detected in October 2022, began around August 2021, according to the Commission’s notification.
The data breach impacted critical aspects of the Commission’s operations, including access to its email servers, control systems, and copies of electoral registers. Attackers gained access to reference copies of the electoral registers, which are employed for research purposes and to verify political donations’ permissibility.
Personal data exposed in the breach included individuals’ names, email addresses, home addresses, contact numbers, and even the content of webforms and emails exchanged with the Commission. Electoral Register entries revealed personal details such as birthdates and home addresses, but the Commission stressed that anonymous registrations and overseas electors’ addresses were not affected.
While the Commission downplayed the immediate impact on elections or voter registration, it acknowledged that threat actors could potentially combine the breached information with publicly available data to carry out various fraudulent activities, including identity theft and phishing attacks. The Commission urged affected individuals to remain cautious of suspicious emails and heightened their vigilance.
Although the breach did not directly affect the electoral process or individuals’ access to the democratic process, the Commission’s admission of potential risks underscores the broader challenges posed by sophisticated cyber-attacks and data breaches in today’s interconnected digital landscape.