The Electoral Commission has said it has been the subject of a cyber attack in which hostile actors have been able to access its systems.
The organisation, which oversees elections and regulates political finance in the UK, said it first identified the incident in October 2022 and that it became clear the attackers had first got into its systems in August 2021.
It has since worked with the National Cyber Security Centre (NCSC) and external security experts to investigate and secure its systems.
The commission acknowledged that the hostile actors were able to access reference copies of electoral registers that it holds for research purposes and to enable permissibility checks on political donation. Those held at the time of the attack included the name and address of anyone in the UK registered to vote between 2014 and 2022, as well as those registered as overseas voters.
There has been no indication that the information was copied, removed or published online, and it did not include details of those registered anonymously.
It added that its email system was accessible during the attack.
Improved protection
The commission notified the Information Commissioner’s Office (ICO) within 72 hours and has now published a public notification on its website. This says it has taken steps to secure systems against future attacks and improved protections around personal data.
It has also strengthened its network login requirements, improved the monitoring and alert system for active threats and reviewed and updated firewall policies.
The incident is currently under investigation by the ICO.
Electoral Commission chief executive Shaun McNally played down fears of it influencing the electoral process but acknowledged the serious nature of the attack.
Election process
He said: “The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting. This means it would be very hard to use a cyber attack to influence the process.
“Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.
“We regret that sufficient protections were not in place to prevent this cyber attack. Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems."
He added: “We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed.
“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”
