A massive UK Electoral Commission data breach leaked voter data of 40 million individuals who registered to vote between 2014 and 2022.
The electoral body said it first detected suspicious activity on its network in October 2022 and discovered that threat actors had accessed the systems 14 months prior.
“The incident was identified in October 2022 after suspicious activity was detected on our systems,” the electoral body said. “It became clear that hostile actors had first accessed the systems in August 2021.”
The elections watchdog said threat actors accessed “reference copies of the electoral registers” used for research purposes and for “permissibility checks on political donations.”
UK voter data breach exposed PII but poses no immediate danger
The data breach leaked personally identifiable information of 40 million individuals who registered to vote in the UK and those casting their ballots overseas.
“The registers held at the time of the cyber-attack include the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.”
However, the leak excluded details of voters who registered anonymously and “does not pose a high risk to individuals,” the Commission stated. It affected the Commission’s email systems and the Electoral Register.
Details leaked from the compromised email systems include the voter’s name, email address, home address if provided, personal and/or business telephone number, images transmitted to the Commission, and any information filled in the web form.
Threat actors could use the personally identifiable information from the Commission’s email systems to identify individuals and target them with spear phishing attacks. Using generative AI tools could further accelerate disinformation campaigns targeting UK voters.
However, the electoral body downplayed the risk unless someone entered “sensitive or personal information in the body of an email, as an attachment or via a form on our website, such information may include medical conditions, gender, sexuality, or personal financial details.”
The Commission also disclosed that the electoral register leaked individuals’ names, addresses, and the date the voter attained the voting age that year.
However, threat actors did not modify the register, and the Commission claims the information was “limited, and much of it is already in the public domain.” They also could not access information about political donations and loans by political parties.
“According to the risk assessment used by the Information Commissioner’s Office to assess the harm of data breaches, the personal data held on the electoral registers – typically name and address – does not in itself present a high risk to individuals,” noted the Commission.
Nevertheless, the UK Electoral Commission acknowledged that threat actors could combine the data accessed with other publicly available information “to infer patterns of behavior or to identify and profile individuals.”
However, the electoral body says the voter data breach warrants “no immediate action,” although victims should remain vigilant for unauthorized use or release of personal information.
Additionally, the Commission took extra steps to secure its systems against future attacks and improve personal data protection.
It also engaged external cyber experts, including the National Cyber Security Centre (NCSC), strengthened network login requirements, improved monitoring and intrusion alert systems, and updated firewall policies.
UK’s Information Commissioner’s Office has also launched an investigation into the voter data breach.
No threat to electoral and democratic process
Meanwhile, the voter data breach did not violate individuals’ rights or access to democratic elections, or change their registration status, according to the elections watchdog.
“Elections across the UK, Europe, and across much of the world are increasingly being targeted by criminals looking to disrupt, influence, or call into question the validity of election results. So it’s natural that news like this brings about some level of concern,” said Javvad Malik, Lead Security Awareness Advocate at KnowBe4.
Similarly, foreign actors frequently target their adversaries’ electoral and political systems to create a domestic political crisis to achieve broader strategic goals. For example, the Russian Interference in the 2016 US presidential election highlighted the risk nation-states posed to democratic processes.
“The Electoral Commission’s breach notification comes alongside recent news highlighting the targeting of politically-relevant organizations’ email systems by APT groups,” said Rob Ames, Threat Researcher at SecurityScorecard. “Microsoft reported that a China-linked threat actor group compromised its cloud assets to conduct espionage against government agencies’ email services.”
According to Shaun McNally, the Electoral Commission’s CEO, the voter data breach does not undermine the integrity of UK elections since most processes are dispersed and “based on paper documentation and counting.”
“Although the Electoral Commission assures us that the largely paper-based process of elections makes it difficult for criminals to sway the outcome, we can’t deny the importance of staying alert in this age of digital democracy,” Malik added.
Similarly, the Commission’s unconvincing security guarantees, the failure to detect the intrusion for 14 months and the 10-month notification delay raises serious questions about the Commission’s cybersecurity practices.
“The recent revelation of a data breach affecting the UK’s registered voters is deeply concerning, both because of its scale and the significant delay in its disclosure,” noted Nikhil Girdhar, Senior Director of Data Security at Securiti. “This incident underscores the pressing need to evaluate organizational preparedness in both preventing and responding to security threats.”
However, the Commission claims it had to “liaise with the National Cyber Security Centre and ICO” and implement additional security measures before disclosing the breach.
“The UK Commission’s delay in sharing this information with the public may be due to the impact this breach could have on national security,” said Richard Orange, Vice President of EMEA Sales at Exabeam. “Premature data breach disclosure can spur misinformation or cause unnecessary alarm, which is why it’s critical not to share any information before a comprehensive cybersecurity investigation.”