Electoral Commission falls victim to cyber-attack, warns organisations involved in elections to be cautious

The Electoral Commission has warned that organisations involved in elections remain a target to cyber attackers after revealing that it was subject to a cyber-attack which saw hostile actors access electoral register files.

Announcing the attack yesterday (8 August), the Commission said the incident was identified in October 2022 when suspicious activity was detected on its systems. It later became clear the attackers first accessed the systems in August 2021.

As part of the incident, attackers were able to access reference copies of the electoral registers held by the Commission for research purposes and to enable permissibility checks on political donations.

The registers held at the time of the cyber-attack include the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.

The registers did not include the details of those registered anonymously. The Commission's email system was also accessible during the attack.

Electoral registers are held and maintained by individual Electoral Registration Officers for each local authority area, but the Commission is one of a number of organisations which has copies to support it in fulfilling its role in the democratic process.

The regulator said it has since worked with external security experts and the National Cyber Security Centre (NCSC) to investigate and secure its systems.

Shaun McNally, the Electoral Commission's Chief Executive, said the incident "highlights that organisations involved in elections remain a target, and need to remain vigilant to the risks to processes around our elections".

He added: "We regret that sufficient protections were not in place to prevent this cyber-attack. Since identifying it we have taken significant steps, with the support of specialists, to improve the security, resilience, and reliability of our IT systems."

McNally said the data contained in the electoral registers is limited, and much of it is already in the public domain. Despite this, he added: "[We] understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected."

The Commission notified the Information Commissioner's Office (ICO) within 72 hours of identifying that data on its systems may have been accessed. It published a formal notification yesterday.

An ICO spokesperson confirmed that an investigation is now underway, noting: "The Electoral Commission has contacted us regarding this incident and we are currently making enquiries. We recognise this news may cause alarm to those who are worried they may be affected and we want to reassure the public that we are investigating as a matter of urgency.

"In the meantime, if anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support."

Adam Carey