UK Electoral Commission Data Breach Exposes Millions of Registered Voters’ Data

In a public notice, the UK Electoral Commission disclosed the hacking incident that comprised personal data of any individual who had registered to vote in the country between 2014 and 2022.

The incident came to light when a suspicious activity was detected on its systems in October 2022. Further investigation revealed that the perpetrators had first hacked into the servers in August 2021. The delay in identification and disclosure raises security concerns about why such an attack went unnoticed and unreported in the said 25 months.

In the attack, the unknown hackers accessed reference copies of the electoral registers retained by the Commission for permissibility checks on political donations and research purposes. The registers contained the name and address of UK voters who registered in the said 8-year period, as well as name and address of overseas voters.

The details of voters registered anonymously were not found in these registers.

Additionally, the Commission’s email system was also accessed by the threat actors, thereby exposing personal details of voters. The data includes name, home and email address, phone number, and any personal image shared with the Commission.

However, financial information like donations and loans to registered political parties and non-party campaigners remains secure. The Commission went on to assure the public that the overall electoral process, including voters’ registration status also remained unaffected.

Further downplaying the incident, it said that ‘’No immediate action needs to be taken in response to this notification. However, anyone who has been in contact with the Commission, or who was registered to vote between 2014 and 2022, should remain vigilant for unauthorized use or release of their personal data.’’

In the statement, the Commission revealed that it had taken the necessary steps to mitigate the security concerns, including bolstering the system against external attacks and protecting voters’ personal data. It also partnered with third-party security experts and the UK National Cyber Security Centre to investigate and enhance its security system.