Hackers had access to UK voter data for over a year before anyone noticed

A cyberattack that began in August 2021 exposed the personal data of people in the United Kingdom who registered to vote between 2014 and 2022. The attack wasn’t detected until October 2022, the UK Electoral Commission reported today. Attackers would have also had access to data from voters who’d opted to keep their data off public voter rolls, according to the BBC.

The Electoral Commission said on X (formerly Twitter) that it waited to report the delay so it could stop the attack and “assess the extent of the incident” as well as harden its systems and get in touch with the National Cyber Security Centre and the UK Information Commissioner’s Office.

Much of the data was “already in the public domain,” wrote the Electoral Commission, but there may still be some risk for those whose data was taken from the UK’s independent elections watchdog. Hackers gained access to servers containing copies of voter registration data, the commission’s emails, and its control systems. In particular, the commission says email server data is a higher risk since it could include sensitive details from email text or attachments.

Data from the election register, which contains names, addresses, and other personal details, is lower risk, said the notice. But bad actors could compare it to other data to “infer patterns of behavior or to identify and profile individuals.” Fortunately, neither address information for overseas voters nor anonymous registrants was kept by the commission.

The elections watchdog group doesn’t know for sure what files were accessed, according to information from UK Electoral Commission CEO Shaun McNally published at BBC. Commission chair John Pullinger said the attack was “very sophisticated” but that hackers weren’t able to alter or delete any information. The commission also isn’t certain who the attackers are, according to a thread on X.

If you’re worried about how this could affect previous or future elections in the UK, McNally doesn’t seem too concerned. Because “key aspects” of the UK’s democratic process are rooted in “paper documentation and counting,” McNally told The Guardian it would be difficult for “a cyber-attack to influence the process.”

The UK Electoral Commission says immediate action isn’t necessary. But if you think your data was included in the attack (that is, if you registered to vote between 2014 and 2022), the commission says you should keep an eye out for signs your information is being used without your permission.