The UK's elections authority has declared it has been the victim of a "complicated cyber-assault" potentially impacting millions of electors.
The Electoral Commission reported that "hostile actors" had been able to obtain versions of the electoral registers, beginning in August 2021.
Hackers infiltrated its emails and "control systems", yet the attack wasn't uncovered until October of the previous year.
The watchdog has cautioned individuals to be vigilant against any potential misuse of their information.
The commission announced in a public statement that hackers had acquired copies of the registers it had been using for research and to ensure that political donors had complied with the necessary regulations.
Shaun McNally, the chief executive officer, stated that the commission was aware of which of its systems had been exposed to the hackers, yet could not firmly determine which records may have been infiltrated.
The watchdog declared that, when the attack took place, it had stored the names and addresses of UK citizens who had registered for voting between the years 2014 and 2022.
Individuals who have chosen to not have their details included in the open register - which isn't available to the public but can be acquired, for instance by credit reference agencies - are also encompassed here.
The names of overseas voters were part of the data accessed, however, their addresses were not, according to the source.
The watchdog indicated that the information of the individuals who were allowed to register anonymously for reasons such as safety or security was not opened.
The commission commented that it is challenging to determine precisely how many people may be impacted, though it approximates that the register for each year involves roughly 40 million individuals.
It indicated that the personal data stored on its email servers was "probable to pose a low risk to people," even though data contained in the message or attachment could be insecure.
The registers, which hold just the names and addresses of people, do not pose a serious threat by themselves to people, according to the source. However, if it was combined with other publically available information, it could be used to figure out and be familiar with individuals.
The company has not provided an exact timeline of when the hackers' access was terminated, but indicated that they were secured promptly after the intrusion was recognized in October 2022.
John Pullinger told BBC News that a "very sophisticated" attempt had been made to break their security, whereby the assailants employed software "to try and get in and evade [their] systems".
He further stated that the hackers were unable to alter or delete anything on the electoral registers held by various registration officers nationwide.
Information pertaining to donations and loans to political parties and registered campaigners is kept in a system that is unaffected by this occurrence, as stated in the announcement.
Mr McNally expressed comprehension of public disquiet and wished to offer his apologies to those impacted.
The commission stated that they implemented measures to guard against potential future invasions, such as modifying the log-in credentials, warning alert system and firewall regulations.
The UK's Information Commissioner's Office, in charge of data protection, declared that it was conducting an urgent investigation.
This is a very serious matter.
The democratic world is greatly concerned about the potential for hackers to meddle in elections.
The commission has declared that, luckily, the cyber criminals did not alter any election results or any person's registration status in this case.
Do not be deceived - this remains a major violation and the type of attack is enlightening.
The attack will be perceived as reinforcing the arguments of those backing the UK's manual voting system and against the use of e-voting in the future.
"Supporters will often claim that pen and paper can't be hacked" when debates about modernisation are held.
It is evident that this was not a typical criminal hacking endeavor, as the hackers had infiltrated the Electoral Commission systems as early as August 2021, likely with a different agenda than simply extorting money.
This adversary was both patient and skilled to remain undetected inside for such a long period.
It appears that this operation is intended to investigate the UK's democratic system to uncover any vulnerabilities.
The Electoral Commission has not revealed who (if they are aware) it was.
top of page
bottom of page
Comments