The UK Electoral Commission disclosed a massive data breach exposing the personal information of anyone who registered to vote in the United Kingdom between 2014 and 2022.
The disclosure comes ten months after the Commission first detected the breach and two years after the initial breach occurred, raising questions about why it took so long to report the incident to the public.
In the “public notification of cyber-attack,” the Commission says they first detected the attack in October 2022 but since learned that threat actors breached their systems much earlier, in August 2021.
As part of this cyberattack, the threat actors accessed the government agency’s servers holding its email, control systems, and copies of electoral registers.
“They were able to access reference copies of the electoral registers, held by the Commission for research purposes and to enable permissibility checks on political donations,” warns the data breach notification.
“The registers held at the time of the cyber-attack include the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.”
However, the exposed election registers did not contain the personal information of those who registered anonymously.
The Electoral Commission says the exposed voter information includes:
- Personal data contained in email system of the Commission:
- Name, first name and surname.
- Email addresses (personal and/or business).
- Home address if included in a webform or email.
- Contact telephone number (personal and/or business).
- Content of the webform and email that may contain personal data.
- Any personal images sent to the Commission.
- Personal data contained in Electoral Register entries:
- Name, first name and surname
- Home address in register entries
- Date on which a person achieves voting age that year.
During the attack, the threat actors had access to the Commission’s email server, exposing any internal and external communications with the agency.
The Commission says that the cyberattack had no impact on any elections or an individual’s voter registration.
The agency is downplaying the attack stating that no voter registration was modified and that “much of it is already in the public domain.”
However, only a voter’s name and address are publicly available in the UK open register. The other exposed information, such as phone numbers and email addresses, can be valuable for threat actors who can use it in more targeted phishing attacks or identity theft.
Therefore, all UK voters should be on the lookout for targeted phishing emails attempting to gather further sensitive information, such as passwords, account numbers, or financial information.
If you receive suspicious emails, do not click on any links; instead, contact the alleged organization via phone to confirm the email’s authenticity.