The Electoral Commission announced yesterday afternoon that it was subject to a complex cyber-attack, with the UK’s democratic process and institutions remaining a target for hostile actors online.
The organisation confirmed that the attack was identified in October 2022 with suspicious activity being detected on its systems. It was then discovered that the perpetrators had first accessed the systems in the summer of 2021, with the Commission working alongside external security experts and the National Cyber Security Centre since, to secure the systems.
Speaking about the breach, Chief Executive of the Electoral Commission Shaun McNally, said:
“The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting. This means it would be very hard to use a cyber-attack to influence the process. Nevertheless, the successful attack on the Electoral Commission highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections.
“We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems.”
Reference copies of the electoral registers were accessed through the attack, with these being held by the Commission to conduct research and enable permissibility checks on political donations. Anyone who registered to vote between 2014 and 2022 had their name and address held on these registers, as well as any overseas voters, however those who registered anonymously were not on the register. The email system used by the Commission was also accessed during the breach.
“We know which systems were accessible to the hostile actors but are not able to know conclusively what files may or may not have been accessed.
“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers being accessed and apologise to those affected.”
To learn more about cyber security across the public sector, register for PSE's Cyber Security event on the 14th September. The event will bring together, key figures and thought leaders in cyber security to discuss ideas and thoughts as to how to overcome the challenge of public sector cyber security.
Image credit: iStock