Pierluigi Paganini August 08, 2023

The UK Electoral Commission suffered a data breach that exposed voters’ personal information between 2014 and 2022.

The UK Electoral Commission disclosed a data breach that exposed the personal information of voters in the United Kingdom between 2014 and 2022. The Commission notified the Information Commissioner’s Office.

“Today we announced that we have been the subject of a complex cyber-attack, and our systems were accessed by hostile actors.” reads the announcement published by the Commission on Twitter.

The security breach began two years ago, likely in August 2021, and was discovered in October 2022

“The Electoral Commission has a duty under Articles 33 and 34 of the UK General Data Protection Regulation to notify data subjects if their data has been breached by inappropriate access, loss, or theft from our systems.” reads the data breach notification. “The incident was identified in October 2022 after suspicious activity was detected on our systems. It became clear that hostile actors had first accessed the systems in August 2021.”

According to the data breach notification, the threat actors had access to the Commission’s servers which held its emails, its control systems, and copies of the electoral registers.

Attackers had access to reference copies of the electoral registers, which are held by the Commission for research purposes and to enable permissibility checks on political donations.

The exposed voters’ personal data contained in email system includes name, first name and surname, email addresses (personal and/or business), home address if included in a webform or email, contact telephone number (personal and/or business), the content of the webform and email that may contain personal data, and any personal images sent to the Commission.

The exposed personal data contained in Electoral Register entries includes name, first name and surname, home address in register entries, date on which a person achieves voting age that year.

The Commission pointed out that Electoral Register data not held anonymous registrations and addresses of overseas electors registered outside of the UK.

The UK Electoral Commission attempted to downplay the incident explaining that the cyberattack had no impact on any elections or an individual’s voter registration.

“According to the risk assessment used by the Information Commissioner’s Office to assess the harm of data breeches, the personal data held on the electoral registers – typically name and address – does not in itself present a high risk to individuals.” continues the notificaation.

However, the Commission admitted that threat actors could combine the accessed information with other data in the public domain. Then threat actors can use aggregated data for a broad range of fraudulent activities, including identity theft and phishing attacks.

Impacted individuals should remain vigilant for suspicious emails.

“The attack has not had an impact on the electoral process, has not affected the rights or access to the democratic process of any individual, nor has it affected anyone’s electoral registration status.” concludes the notification.

The Commission also published a FAQ page related to the data breach.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)