Hackers Compromised UK Electoral Commission Servers Two Years Ago; 40 Million Voters Affected

Hackers hit the systems of the UK Electoral Commission all the way back in August 2021, and authorities found out only in October 2022. And only now have they admitted to the existence of the cyberattack.

Attacks on electoral systems are not new, but the breadth of the latest attack in the UK is too expansive to ignore. In fact, not only did the attackers manage to comprise the Electoral Commission’s systems, but they also managed to stay hidden for more than a year.

According to notification notice published by the Commission, attackers first gained access to the servers in August 2021, and it went undetected for more than a year.

“They were able to access reference copies of the electoral registers, held by the Commission for research purposes and to enable permissibility checks on political donations,” officials said in the notification.

“The registers held at the time of the cyber-attack include the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters,” the added. “The registers did not include the details of those registered anonymously. The Commission’s email system was also accessible during the attack.”

The leaked personal data includes the full name, email address, home address, phone numbers, personal images and even the date on which a person achieves voting age that year.

According to a Guardian report, the Commission doesn’t know who the attackers were and it can’t really be sure what other information the attackers accessed.

The voting systems hold information on over 40 million voters, and it’s difficult to determine how people or voters will be affected. However, authorities say the leaked data can’t really be used to influence elections.

There’s also no information on how the intruders managed to gain access and remain so long undetected.

“We have taken steps to secure our systems against future attacks and improved our protections around personal data,” the Commission said. “We have strengthened our network login requirements, improved the monitoring and alert system for active threats and reviewed and updated our firewall policies.”