The Electoral Commission has just revealed it was subject to a complex cyber-attack – but does not know what data was accessed, or who was behind the hack.
Hostile players 1st gained access to the regulator’s systems in Aug. 2021, but were only discovered in Oct. last year after ‘a suspicious pattern of log-in requests.
Statement
In a statement, the commission revealed hackers were able to access copies of electoral registers, held for research purposes & to enable permissibility checks on political donations.
It added: ‘The registers held at the time of the cyber-attack include the name & address of anyone in the UK who was registered to vote between 2014-2022, as well as the names of those registered as overseas voters. The registers did not include the details of those registered anonymously.
‘The Commission’s email system was also accessible during the attack.’
Hostile Players
The Electoral Commission’s CEO Shaun McNally observed that while the regulator knew which systems were accessible to the hostile players, they did now know exactly which files had been accessed.
‘While the data contained in the electoral registers is limited, & much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed & apologise to those affected,’ commented Mr McNally.
Personal Data
In a statement, the commission added ‘the personal data most likely to have been accessible includes any names, addresses, email addresses, & any other personal data sent to us by email or held on the electoral registers.
However, a Q & A about the attack adds that any details provided to us via email or through forms on the website, such as the ‘contact us online’ form, may also have been accessed.
Not in Place
‘We regret that sufficient protections were not in place to prevent this cyber-attack,’ added Mr Mcnally. ‘Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, & reliability of our IT systems.’
The commission reported the attack to the National Cyber Security Centre (NCSC) but does still not know who is behind the breach. No one has claimed responsibility for the hack.
However, Mr McNally stressed the attack was unlikely to have had any effect on elections that took place during that time, including the May 2022 local elections & the June 2022 Wakefield by-election, caused by the resignation of Imran Ahmad Khan after he was found guilty of sexual assault.
Significantly Dispersed
‘The UK’s democratic process is significantly dispersed & key aspects of it remain based on paper documentation and counting,’ explained Mr Mcnally. ‘This means it would be very hard to use a cyber-attack to influence the process.
‘Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, & need to remain vigilant to the risks to processes around our elections.’
The commission stated there was ‘no evidence’ that information gained in the hack had been published online, but ‘there remains the possibility that some information has found its way into the public domain’.
It also provided some steps voters can take to check data.
Voters’ Confidence
Professor Alan Woodward, a University of Surrey based computer security specialist, warned the main disruption from the cyber-attack would be damage to voters’ confidence,& that voters had little cause to worry.
‘Electoral registers are public domain data,’ he commented. ‘I suspect the main problem will be reputational damage.
Based on what we know there should be little impact in the short term, but this type of hack tends to erode confidence, & in this case it is confidence in an institution that is important to our democratic processes.
‘It is the aim of some malicious states to achieve exactly that.’
