Brian Sims
Editor

The Electoral Commission flags major cyber attack by “hostile actors”

Posted to News on Wednesday, August 9, 2023 Share:

THE ELECTORAL Commission has reported a cyber attack perpetrated on its sysems by “hostile actors”. The incident was identified in October last year, in fact, after suspicious activity was detected. It became clear that “hostile actors” had first accessed the organisation’s systems back in August 2021.

During the cyber attack, the perpetrators had access to The Electoral Commission’s servers which held its e-mail system, control systems and copies of the electoral registers.

They attackers were able to access reference copies of the electoral registers, which are held by The Electoral Commission for research purposes and to enable permissibility checks on political donations.

The registers held at the time of the cyber attack included the names and addresses of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as being overseas voters. The registers did not include the details of those registered anonymously.

The Electoral Commission understands the concern this attack may have caused and has offered its apologies to all those affected. Since the attack was discovered, the organisation has worked with security specialists to investigate the incident and taken action to secure systems in a bid to reduce the risk of future attacks in the cyber domain.

Risk level

According to a statement on its website, The Electoral Commission has affirmed that information affected by this breach does not pose a high risk to individuals. Notification of the security breach is being given due to the high volume of personal data potentially viewed or removed during the cyber episode.

Personal data affected by this incident

Personal data contained in the e-mail system of The Electoral Commission:

*Name, first name and surname

*e-mail addresses (personal and/or business)

*home address (if included in a webform or e-mail)

*contact telephone number (personal and/or business)

*content of the webform and e-mail that may contain personal data

*any personal images sent to The Electoral Commission

Personal data contained in the electoral register entries:

*Name, first name and surname

*home address in register entries

*date on which a person achieves voting age that year

Electoral register data not held by The Electoral Commission:

*anonymous registrations

*address of overseas electors registered outside of the UK

The electoral register data held by The Electoral Commission has not been amended or changed in any way as a result of the cyber attack and remains in the form in which it was received. The data contained in the registers is limited, and much of it is already in the public domain. The Electoral Commission’s online privacy policy is accessible online at https://www.electoralcommission.org.uk/privacy-policy

Impact on individuals

According to the risk assessment used by the Information Commissioner’s Office (ICO) to assess the harm of data breaches, the personal data held on the electoral registers – typically name and address – does not in itself present a high risk to individuals.

However, it’s possible that this data could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behaviour or to identify and profile individuals.

The attack has not had an impact on the electoral process, has not affected the rights or access to the democratic process of any individual and nor has it affected anyone’s electoral registration status.

The personal data held on The Electoral Commission’s e-mail servers is also unlikely to present a high risk to individuals unless someone has sent sensitive or personal information in the body of an e-mail, as an attachment or via a form on The Electoral Commission’s website. Such information may include medical conditions, gender, sexuality or personal financial details.

Anyone who has been in contact with The Electoral Commission, or who was registered to vote between 2014 and 2022, should remain vigilant for unauthorised use or release of their personal data.

Steps towards mitigation

The Electoral Commission has taken steps to secure its systems against future attacks and improved protections around personal data. The organisation has strengthened its network login requirements, improved the monitoring and alert system for active threats and reviewed and updated all firewall policies.

The Electoral Commission has also worked with external security experts and the National Cyber Security Centre to investigate and secure its systems.

Data subjects retain the right to complain to the ICO about this episode.

The ICO itself has commented: “The Electoral Commission has contacted us regarding this incident. We are currently making enquiries. We recognise this news may cause alarm to those who are worried they may be affected. We want to reassure the public that we are investigating as a matter of urgency.”

Further, the ICO has noted: “In the meantime, if anyone is concerned about how their data has been handled, they should contact us or access our website at www.ico.org.uk for advice and support.”

Company Info

WBM

64 High Street, RH19 3DE
EAST GRINSTEAD
RH19 3DE
UNITED KINGDOM

03227 14

Related Topics
Cyber Attacks
Data Breaches
ICO
Information Commissioner’s Office
The Electoral Commission
Related Articles
Latest Webinars
Biometric access control: are fingerprint cards the future?
Biometric access control: are fingerprint cards the future?
Bandweaver signposts webinar on optical fiber for perimeter security
Video Surveillance: Exploring New Horizons
Perimeter Intruder Detection Solutions
Related Resources
Security Matters Podcast – Episode 32 now live to view
Security Matters Podcast – Episode 31 now live to view
Introduction to Vista VIP Series of CCTV cameras & recorders
Latest News
‘Failure to prevent fraud’ guidance published by Government
Five Eyes cyber advice campaign introduced for tech start-ups
Corps Security wins prestigious contract for The Langham Estate

Login / Sign up