U.K. Electoral Commission Breach Exposes Voter Data of 40 Million Britons

Cyber Security Threat Summary:
“The U.K. Electoral Commission on Tuesday disclosed a "complex" cyber attack on its systems that went undetected for over a year, allowing the threat actors to access years worth of voter data belonging to 40 million people. ‘The incident was identified in October 2022 after suspicious activity was detected on our systems," the regulator said. "It became clear that hostile actors had first accessed the systems in August 2021.’ The intrusion enabled unauthorized access to the Commission's servers hosting email, control systems, and copies of the electoral registers it maintains for research purposes. The identity of the intruders are presently unknown” (The Hacker News, 2023).

The impacted systems contained data for anyone in the U.K who registered to vote between 2014 and 2022, as well as those registered overseas. This data allegedly contains the following information:

  • Name, first name, and surname
  • Email addresses (personal and/or business)
  • Home address if included in a webform or email
  • Contact telephone number (personal and/or business)
  • Content of the webform and email that may contain personal data
  • Any personal images sent to the Commission.
  • Home address in register entries
  • Date on which a person achieves voting age that year
Security Officer Comments:
The commission stated that the delay in disclosure was that it could stop the adversary’s access and investigate the scope of the attack prior to releasing details to the public. Based on data that was allegedly accessed, cybercriminals can combine it with other publicly known information to identify the impacted individuals and further launch targeted social engineering and phishing attacks.

Suggested Correction(s):
The commission says it has taken steps to secure its systems against future attacks and improved protections around personal data. It has also strengthened network login requirements, improved the monitoring and alert system for active threats, and reviewed and updated firewall policies.